- (dtucker) [auth-pam.c] Do PAM chauthtok during SSH2 keyboard-interactive

   authentication.  Partially fixes bug #423.  Feedback & ok djm@

Some background on why this is the way it is:
* Solaris 8's pam_chauthtok ignores the CHANGE_EXPIRED_AUTHTOK flag, so
  we must call do_pam_account() to figure out if the password is expired.
* AIX 5.2 does not like having pam_acct_mgmt() called twice, once from the
  authentication thread and once from the main shell child, so we cache the
  result, which must be passed from the authentication thread back to the
  monitor.

diff --git a/ChangeLog b/ChangeLog
index 40019b4171b726ef0ee7264e15f23152fc9cd170..c08bad735941da36498b0d588436cb8509fe2c1a 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,7 @@
 20031218
  - (dtucker) [configure.ac] Don't use setre[ug]id on DG-UX, from Tom Orban.
+ - (dtucker) [auth-pam.c] Do PAM chauthtok during SSH2 keyboard-interactive
+   authentication.  Partially fixes bug #423.  Feedback & ok djm@
 
 20031217
  - (djm) OpenBSD CVS Sync

diff --git a/auth-pam.c b/auth-pam.c
index f27404fa2215075b628760566b31829a7fc69912..8e7f1e1de582e1f827634acbb94ee34a0a222500 100644 (file)
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -53,6 +53,7 @@ RCSID("$Id$");
 
 extern ServerOptions options;
 extern Buffer loginmsg;
+extern int compat20;
 
 #define __unused
 
@@ -118,6 +119,7 @@ static int sshpam_authenticated = 0;
 static int sshpam_new_authtok_reqd = 0;
 static int sshpam_session_open = 0;
 static int sshpam_cred_established = 0;
+static int sshpam_account_status = -1;
 static char **sshpam_env = NULL;
 
 struct pam_ctxt {
@@ -144,6 +146,21 @@ pam_getenvlist(pam_handle_t *pamh)
 }
 #endif
 
+void
+pam_password_change_required(int reqd)
+{
+       sshpam_new_authtok_reqd = reqd;
+       if (reqd) {
+               no_port_forwarding_flag |= 2;
+               no_agent_forwarding_flag |= 2;
+               no_x11_forwarding_flag |= 2;
+       } else {
+               no_port_forwarding_flag &= ~2;
+               no_agent_forwarding_flag &= ~2;
+               no_x11_forwarding_flag &= ~2;
+
+       }
+}
 /* Import regular and PAM environment from subprocess */
 static void
 import_environments(Buffer *b)
@@ -152,6 +169,10 @@ import_environments(Buffer *b)
        u_int i, num_env;
        int err;
 
+       /* Import variables set by do_pam_account */
+       sshpam_account_status = buffer_get_int(b);
+       pam_password_change_required(buffer_get_int(b));
+
        /* Import environment from subprocess */
        num_env = buffer_get_int(b);
        sshpam_env = xmalloc((num_env + 1) * sizeof(*sshpam_env));
@@ -290,9 +311,26 @@ sshpam_thread(void *ctxtp)
        sshpam_err = pam_authenticate(sshpam_handle, 0);
        if (sshpam_err != PAM_SUCCESS)
                goto auth_fail;
+
+       /* if (compat20) { */
+               if (!do_pam_account())
+                       goto auth_fail;
+               if (sshpam_new_authtok_reqd) {
+                       sshpam_err = pam_chauthtok(sshpam_handle,
+                           PAM_CHANGE_EXPIRED_AUTHTOK);
+                       if (sshpam_err != PAM_SUCCESS)
+                               goto auth_fail;
+                       pam_password_change_required(0);
+               }
+       /* } */
+
        buffer_put_cstring(&buffer, "OK");
 
 #ifndef USE_POSIX_THREADS
+       /* Export variables set by do_pam_account */
+       buffer_put_int(&buffer, sshpam_account_status);
+       buffer_put_int(&buffer, sshpam_new_authtok_reqd);
+
        /* Export any environment strings set in child */
        for(i = 0; environ[i] != NULL; i++)
                ; /* Count */
@@ -611,22 +649,22 @@ finish_pam(void)
 u_int
 do_pam_account(void)
 {
+       if (sshpam_account_status != -1)
+               return (sshpam_account_status);
+
        sshpam_err = pam_acct_mgmt(sshpam_handle, 0);
        debug3("%s: pam_acct_mgmt = %d", __func__, sshpam_err);
-
-       if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD)
-               return (0);
-
-       if (sshpam_err == PAM_NEW_AUTHTOK_REQD) {
-               sshpam_new_authtok_reqd = 1;
-
-               /* Prevent forwardings until password changed */
-               no_port_forwarding_flag |= 2;
-               no_agent_forwarding_flag |= 2;
-               no_x11_forwarding_flag |= 2;
+       
+       if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) {
+               sshpam_account_status = 0;
+               return (sshpam_account_status);
        }
 
-       return (1);
+       if (sshpam_err == PAM_NEW_AUTHTOK_REQD)
+               pam_password_change_required(1);
+
+       sshpam_account_status = 1;
+       return (sshpam_account_status);
 }
 
 void