- (stevesk) OpenSSH CVS update:

[openssh.git] / auth-pam.c

diff --git a/auth-pam.c b/auth-pam.c
index 99eab1e396520a0ad2216ec4099e61ea7b75f93f..ea62a774875dcec68058868ea8e35f44d58cb6aa 100644 (file)
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -50,10 +50,26 @@ static const char *pampasswd = NULL;
 static char *pam_msg = NULL;
 
 /* states for pamconv() */
-typedef enum { INITIAL_LOGIN, OTHER } pamstates;
-static pamstates pamstate = INITIAL_LOGIN;
+enum { INITIAL_LOGIN, OTHER } pamstate = INITIAL_LOGIN;
 /* remember whether pam_acct_mgmt() returned PAM_NEWAUTHTOK_REQD */
 static int password_change_required = 0;
+/* remember whether the last pam_authenticate() succeeded or not */
+static int was_authenticated = 0;
+
+/* accessor which allows us to switch conversation structs according to
+ * the authentication method being used */
+void pam_set_conv(struct pam_conv *conv)
+{
+       pam_set_item(pamh, PAM_CONV, conv);
+}
+
+/* start an authentication run */
+int do_pam_authenticate(int flags)
+{
+       int retval = pam_authenticate(pamh, flags);
+       was_authenticated = (retval == PAM_SUCCESS);
+       return retval;
+}
 
 /*
  * PAM conversation function.
@@ -163,6 +179,8 @@ int auth_pam_password(struct passwd *pw, const char *password)
        extern ServerOptions options;
        int pam_retval;
 
+       pam_set_conv(&conv);
+
        /* deny if no user. */
        if (pw == NULL)
                return 0;
@@ -174,7 +192,7 @@ int auth_pam_password(struct passwd *pw, const char *password)
        pampasswd = password;
        
        pamstate = INITIAL_LOGIN;
-       pam_retval = pam_authenticate(pamh, 0);
+       pam_retval = do_pam_authenticate(0);
        if (pam_retval == PAM_SUCCESS) {
                debug("PAM Password authentication accepted for user \"%.100s\"", 
                        pw->pw_name);
@@ -249,25 +267,36 @@ void do_pam_session(char *username, const char *ttyname)
 }
 
 /* Set PAM credentials */ 
-void do_pam_setcred()
+void do_pam_setcred(void)
 {
        int pam_retval;
  
        debug("PAM establishing creds");
        pam_retval = pam_setcred(pamh, PAM_ESTABLISH_CRED);
        if (pam_retval != PAM_SUCCESS) {
-               fatal("PAM setcred failed[%d]: %.200s", 
-                       pam_retval, PAM_STRERROR(pamh, pam_retval));
+               if(was_authenticated) {
+                       fatal("PAM setcred failed[%d]: %.200s", 
+                               pam_retval, PAM_STRERROR(pamh, pam_retval));
+               } else {
+                       debug("PAM setcred failed[%d]: %.200s", 
+                               pam_retval, PAM_STRERROR(pamh, pam_retval));
+               }
        }
 }
 
+/* accessor function for file scope static variable */
+int pam_password_change_required(void)
+{
+       return password_change_required;
+}
+
 /* 
  * Have user change authentication token if pam_acct_mgmt() indicated
  * it was expired.  This needs to be called after an interactive
  * session is established and the user's pty is connected to
  * stdin/stout/stderr.
  */
-void do_pam_chauthtok()
+void do_pam_chauthtok(void)
 {
        int pam_retval;