From 277f55cfc64bef4584159ac5368b643f0e82ef8c Mon Sep 17 00:00:00 2001 From: stevesk Date: Sun, 21 Jul 2002 17:57:01 +0000 Subject: [PATCH] - (stevesk) [auth-pam.c] merge rest of solar's PAM patch; PAM_NEW_AUTHTOK_REQD remains in #if 0 for now. --- ChangeLog | 2 ++ auth-pam.c | 24 +++++++++++++++++++++++- 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 8dabafcd..b69c350e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,8 @@ 20020721 - (stevesk) [auth-pam.c] merge cosmetic changes from solar's openssh-3.4p1-owl-password-changing.diff + - (stevesk) [auth-pam.c] merge rest of solar's PAM patch; + PAM_NEW_AUTHTOK_REQD remains in #if 0 for now. 20020720 - (stevesk) [ssh-keygen.c] bug #231: always init/seed_rng(). diff --git a/auth-pam.c b/auth-pam.c index ff9dc0e6..f1830929 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -29,6 +29,7 @@ #include "xmalloc.h" #include "log.h" #include "auth.h" +#include "auth-options.h" #include "auth-pam.h" #include "servconf.h" #include "canohost.h" @@ -36,10 +37,14 @@ extern char *__progname; +extern int use_privsep; + RCSID("$Id$"); #define NEW_AUTHTOK_MSG \ "Warning: Your password has expired, please change it now." +#define NEW_AUTHTOK_MSG_PRIVSEP \ + "Your password has expired, the session cannot proceed." static int do_pam_conversation(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr); @@ -254,9 +259,14 @@ int do_pam_account(char *username, char *remote_user) break; #if 0 case PAM_NEW_AUTHTOK_REQD: - message_cat(&__pam_msg, NEW_AUTHTOK_MSG); + message_cat(&__pam_msg, use_privsep ? + NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG); /* flag that password change is necessary */ password_change_required = 1; + /* disallow other functionality for now */ + no_port_forwarding_flag |= 2; + no_agent_forwarding_flag |= 2; + no_x11_forwarding_flag |= 2; break; #endif default: @@ -335,11 +345,23 @@ void do_pam_chauthtok(void) do_pam_set_conv(&conv); if (password_change_required) { + if (use_privsep) + fatal("Password changing is currently unsupported" + " with privilege separation"); pamstate = OTHER; pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK); if (pam_retval != PAM_SUCCESS) fatal("PAM pam_chauthtok failed[%d]: %.200s", pam_retval, PAM_STRERROR(__pamh, pam_retval)); +#if 0 + /* XXX: This would need to be done in the parent process, + * but there's currently no way to pass such request. */ + no_port_forwarding_flag &= ~2; + no_agent_forwarding_flag &= ~2; + no_x11_forwarding_flag &= ~2; + if (!no_port_forwarding_flag && options.allow_tcp_forwarding) + channel_permit_all_opens(); +#endif } } -- 2.45.2