- pamstate = INITIAL_LOGIN;
- pam_retval = do_pam_authenticate(
- options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0);
- if (pam_retval == PAM_SUCCESS) {
- debug("PAM Password authentication accepted for "
- "user \"%.100s\"", pw->pw_name);
- return 1;
- } else {
- debug("PAM Password authentication for \"%.100s\" "
- "failed[%d]: %s", pw->pw_name, pam_retval,
- PAM_STRERROR(__pamh, pam_retval));
- return 0;
+ if (sshpam_authctxt == NULL)
+ fatal("%s: PAM authctxt not initialized", __func__);
+
+ buffer_init(&buffer);
+ sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
+ (const void *)&sshpam_conv);
+ if (sshpam_err != PAM_SUCCESS)
+ goto auth_fail;
+ sshpam_err = pam_authenticate(sshpam_handle, flags);
+ if (sshpam_err != PAM_SUCCESS)
+ goto auth_fail;
+
+ if (compat20) {
+ if (!do_pam_account())
+ goto auth_fail;
+ if (sshpam_authctxt->force_pwchange) {
+ sshpam_err = pam_chauthtok(sshpam_handle,
+ PAM_CHANGE_EXPIRED_AUTHTOK);
+ if (sshpam_err != PAM_SUCCESS)
+ goto auth_fail;
+ sshpam_password_change_required(0);
+ }
+ }
+
+ buffer_put_cstring(&buffer, "OK");
+
+#ifndef UNSUPPORTED_POSIX_THREADS_HACK
+ /* Export variables set by do_pam_account */
+ buffer_put_int(&buffer, sshpam_account_status);
+ buffer_put_int(&buffer, sshpam_authctxt->force_pwchange);
+
+ /* Export any environment strings set in child */
+ for(i = 0; environ[i] != NULL; i++)
+ ; /* Count */
+ buffer_put_int(&buffer, i);
+ for(i = 0; environ[i] != NULL; i++)
+ buffer_put_cstring(&buffer, environ[i]);
+
+ /* Export any environment strings set by PAM in child */
+ env_from_pam = pam_getenvlist(sshpam_handle);
+ for(i = 0; env_from_pam != NULL && env_from_pam[i] != NULL; i++)
+ ; /* Count */
+ buffer_put_int(&buffer, i);
+ for(i = 0; env_from_pam != NULL && env_from_pam[i] != NULL; i++)
+ buffer_put_cstring(&buffer, env_from_pam[i]);
+#endif /* UNSUPPORTED_POSIX_THREADS_HACK */
+
+ /* XXX - can't do much about an error here */
+ ssh_msg_send(ctxt->pam_csock, sshpam_err, &buffer);
+ buffer_free(&buffer);
+ pthread_exit(NULL);
+
+ auth_fail:
+ buffer_put_cstring(&buffer,
+ pam_strerror(sshpam_handle, sshpam_err));
+ /* XXX - can't do much about an error here */
+ ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer);
+ buffer_free(&buffer);
+ pthread_exit(NULL);
+
+ return (NULL); /* Avoid warning for non-pthread case */
+}
+
+void
+sshpam_thread_cleanup(void)
+{
+ struct pam_ctxt *ctxt = cleanup_ctxt;
+
+ debug3("PAM: %s entering", __func__);
+ if (ctxt != NULL && ctxt->pam_thread != 0) {
+ pthread_cancel(ctxt->pam_thread);
+ pthread_join(ctxt->pam_thread, NULL);
+ close(ctxt->pam_psock);
+ close(ctxt->pam_csock);
+ memset(ctxt, 0, sizeof(*ctxt));
+ cleanup_ctxt = NULL;