static pam_handle_t *sshpam_handle = NULL;
static int sshpam_err = 0;
static int sshpam_authenticated = 0;
-static int sshpam_new_authtok_reqd = 0;
static int sshpam_session_open = 0;
static int sshpam_cred_established = 0;
static int sshpam_account_status = -1;
static char **sshpam_env = NULL;
+static int *force_pwchange;
/* Some PAM implementations don't implement this */
#ifndef HAVE_PAM_GETENVLIST
pam_password_change_required(int reqd)
{
debug3("%s %d", __func__, reqd);
- sshpam_new_authtok_reqd = reqd;
+ *force_pwchange = reqd;
if (reqd) {
no_port_forwarding_flag |= 2;
no_agent_forwarding_flag |= 2;
no_port_forwarding_flag &= ~2;
no_agent_forwarding_flag &= ~2;
no_x11_forwarding_flag &= ~2;
-
}
}
+
/* Import regular and PAM environment from subprocess */
static void
import_environments(Buffer *b)
if (compat20) {
if (!do_pam_account())
goto auth_fail;
- if (sshpam_new_authtok_reqd) {
+ if (*force_pwchange) {
sshpam_err = pam_chauthtok(sshpam_handle,
PAM_CHANGE_EXPIRED_AUTHTOK);
if (sshpam_err != PAM_SUCCESS)
#ifndef USE_POSIX_THREADS
/* Export variables set by do_pam_account */
buffer_put_int(&buffer, sshpam_account_status);
- buffer_put_int(&buffer, sshpam_new_authtok_reqd);
+ buffer_put_int(&buffer, *force_pwchange);
/* Export any environment strings set in child */
for(i = 0; environ[i] != NULL; i++)
pam_close_session(sshpam_handle, PAM_SILENT);
sshpam_session_open = 0;
}
- sshpam_authenticated = sshpam_new_authtok_reqd = 0;
+ sshpam_authenticated = 0;
pam_end(sshpam_handle, sshpam_err);
sshpam_handle = NULL;
}
ctxt = xmalloc(sizeof *ctxt);
memset(ctxt, 0, sizeof(*ctxt));
+ force_pwchange = &(authctxt->force_pwchange);
+
/* Start the authentication thread */
if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) {
error("PAM: failed create sockets: %s", strerror(errno));
pam_strerror(sshpam_handle, sshpam_err));
}
-int
-is_pam_password_change_required(void)
-{
- return (sshpam_new_authtok_reqd);
-}
-
static int
pam_tty_conv(int n, const struct pam_message **msg,
struct pam_response **resp, void *data)
void
do_pam_session(void)
{
+ debug3("PAM: opening session");
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
(const void *)&tty_conv);
if (sshpam_err != PAM_SUCCESS)
return (ret);
}
-void
-print_pam_messages(void)
-{
- /* XXX */
-}
-
char **
fetch_pam_child_environment(void)
{
return 1;
}
+static void
+display_loginmsg(void)
+{
+ if (buffer_len(&loginmsg) > 0) {
+ buffer_append(&loginmsg, "\0", 1);
+ printf("%s\n", (char *)buffer_ptr(&loginmsg));
+ buffer_clear(&loginmsg);
+ }
+}
void
do_authenticated(Authctxt *authctxt)
session_proctitle(s);
#if defined(USE_PAM)
- if (options.use_pam) {
+ if (options.use_pam)
do_pam_setcred(1);
- if (is_pam_password_change_required())
- packet_disconnect("Password change required but no "
- "TTY available");
- }
#endif /* USE_PAM */
/* Fork the child. */
* If password change is needed, do it now.
* This needs to occur before the ~/.hushlogin check.
*/
- if (options.use_pam && is_pam_password_change_required()) {
- print_pam_messages();
+ if (options.use_pam && !use_privsep && s->authctxt->force_pwchange) {
+ display_loginmsg();
do_pam_chauthtok();
+ s->authctxt->force_pwchange = 0;
/* XXX - signal [net] parent to enable forwardings */
}
#endif
if (check_quietlogin(s, command))
return;
-#ifdef USE_PAM
- if (options.use_pam && !is_pam_password_change_required())
- print_pam_messages();
-#endif /* USE_PAM */
-
- /* display post-login message */
- if (buffer_len(&loginmsg) > 0) {
- buffer_append(&loginmsg, "\0", 1);
- printf("%s\n", (char *)buffer_ptr(&loginmsg));
- }
- buffer_free(&loginmsg);
+ display_loginmsg();
#ifndef NO_SSH_LASTLOG
if (options.print_lastlog && s->last_login_time != 0) {