- (stevesk) ~/.hushlogin shouldn't cause required password change to

be bypassed.
2000-10-14 13:36:13 +00:00 · 2000-10-14 13:36:13 +00:00 · 092f2effc5
parent f16b9d2773
commit 092f2effc5
4 changed files with 23 additions and 4 deletions
--- a/2
+++ b/2
@ -83,6 +83,8 @@
 - (stevesk) Include config.h in rijndael.c so we define intXX_t and
   u_intXX_t types on all platforms.
 - (stevesk) rijndael.c: cleanup missing declaration warnings.
+ - (stevesk) ~/.hushlogin shouldn't cause required password change to
+   be bypassed.

 20001007
 - (stevesk) Print PAM return value in PAM log messages to aid
--- a/auth-pam.c
+++ b/auth-pam.c
@ -29,7 +29,7 @@
 #include "xmalloc.h"
 #include "servconf.h"

-RCSID("$Id: auth-pam.c,v 1.16 2000/10/14 05:23:11 djm Exp $");
+RCSID("$Id: auth-pam.c,v 1.17 2000/10/14 13:36:13 stevesk Exp $");

 #define NEW_AUTHTOK_MSG \
 	"Warning: Your password has expired, please change it now"
@ -261,6 +261,12 @@ void do_pam_setcred()
 	}
 }

+/* accessor function for file scope static variable */
+int pam_password_change_required(void)
+{
+	return password_change_required;
+}
+
 /* 
 * Have user change authentication token if pam_acct_mgmt() indicated
 * it was expired.  This needs to be called after an interactive
--- a/auth-pam.h
+++ b/auth-pam.h
@ -11,6 +11,7 @@ int do_pam_account(char *username, char *remote_user);
 void do_pam_session(char *username, const char *ttyname);
 void do_pam_setcred();
 void print_pam_messages(void);
+int pam_password_change_required(void);
 void do_pam_chauthtok();

 #endif /* USE_PAM */
--- a/session.c
+++ b/session.c
@ -720,6 +720,17 @@ do_login(Session *s)
 	record_login(pid, s->tty, pw->pw_name, pw->pw_uid,
 	    get_remote_name_or_ip(), (struct sockaddr *)&from);

+#ifdef USE_PAM
+	/*
+	 * If password change is needed, do it now.
+	 * This needs to occur before the ~/.hushlogin check.
+	 */
+	if (pam_password_change_required()) {
+		print_pam_messages();
+		do_pam_chauthtok();
+	}
+#endif
+
 	/* Done if .hushlogin exists. */
 	snprintf(buf, sizeof(buf), "%.200s/.hushlogin", pw->pw_dir);
 #ifdef HAVE_LOGIN_CAP
@ -730,9 +741,8 @@ do_login(Session *s)
 		return;

 #ifdef USE_PAM
-	print_pam_messages();
-	/* If password change is needed, do it now. */
-	do_pam_chauthtok();
+	if (!pam_password_change_required())
+		print_pam_messages();
 #endif /* USE_PAM */
 #ifdef WITH_AIXAUTHENTICATE
 	if (aixloginmsg && *aixloginmsg)