From 1921ed9f966b6d8262a906d01e515b2737962e2b Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 10 Feb 2004 13:23:28 +1100 Subject: [PATCH] - (dtucker) [auth-pam.c auth-pam.h session.c] Bug #14: Use do_pwchange to change expired PAM passwords for SSHv1 connections without privsep. pam_chauthtok is still used when privsep is disabled. ok djm@ --- ChangeLog | 5 ++++- auth-pam.c | 29 ++++++++++------------------- auth-pam.h | 4 +--- session.c | 32 ++++++++++++++------------------ 4 files changed, 29 insertions(+), 41 deletions(-) diff --git a/ChangeLog b/ChangeLog index a5bb31b91..3acb6eca9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,9 @@ change for platforms using /etc/shadow. ok djm@ - (dtucker) [openbsd-compat/fake-rfc2553.h] Bug #563: Prepend ssh_ to compat functions to avoid conflicts with Heimdal's libroken. ok djm@ + - (dtucker) [auth-pam.c auth-pam.h session.c] Bug #14: Use do_pwchange to + change expired PAM passwords for SSHv1 connections without privsep. + pam_chauthtok is still used when privsep is disabled. ok djm@ 20040207 - (dtucker) OpenBSD CVS Sync @@ -1830,4 +1833,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3220 2004/02/10 02:05:40 dtucker Exp $ +$Id: ChangeLog,v 1.3221 2004/02/10 02:23:28 dtucker Exp $ diff --git a/auth-pam.c b/auth-pam.c index 0e2725b80..562fb01f2 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -31,7 +31,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.92 2004/01/14 13:15:08 dtucker Exp $"); +RCSID("$Id: auth-pam.c,v 1.93 2004/02/10 02:23:29 dtucker Exp $"); #ifdef USE_PAM #if defined(HAVE_SECURITY_PAM_APPL_H) @@ -155,11 +155,11 @@ pthread_join(sp_pthread_t thread, void **value __unused) static pam_handle_t *sshpam_handle = NULL; static int sshpam_err = 0; static int sshpam_authenticated = 0; -static int sshpam_new_authtok_reqd = 0; static int sshpam_session_open = 0; static int sshpam_cred_established = 0; static int sshpam_account_status = -1; static char **sshpam_env = NULL; +static int *force_pwchange; /* Some PAM implementations don't implement this */ #ifndef HAVE_PAM_GETENVLIST @@ -179,7 +179,7 @@ void pam_password_change_required(int reqd) { debug3("%s %d", __func__, reqd); - sshpam_new_authtok_reqd = reqd; + *force_pwchange = reqd; if (reqd) { no_port_forwarding_flag |= 2; no_agent_forwarding_flag |= 2; @@ -188,9 +188,9 @@ pam_password_change_required(int reqd) no_port_forwarding_flag &= ~2; no_agent_forwarding_flag &= ~2; no_x11_forwarding_flag &= ~2; - } } + /* Import regular and PAM environment from subprocess */ static void import_environments(Buffer *b) @@ -348,7 +348,7 @@ sshpam_thread(void *ctxtp) if (compat20) { if (!do_pam_account()) goto auth_fail; - if (sshpam_new_authtok_reqd) { + if (*force_pwchange) { sshpam_err = pam_chauthtok(sshpam_handle, PAM_CHANGE_EXPIRED_AUTHTOK); if (sshpam_err != PAM_SUCCESS) @@ -362,7 +362,7 @@ sshpam_thread(void *ctxtp) #ifndef USE_POSIX_THREADS /* Export variables set by do_pam_account */ buffer_put_int(&buffer, sshpam_account_status); - buffer_put_int(&buffer, sshpam_new_authtok_reqd); + buffer_put_int(&buffer, *force_pwchange); /* Export any environment strings set in child */ for(i = 0; environ[i] != NULL; i++) @@ -437,7 +437,7 @@ sshpam_cleanup(void) pam_close_session(sshpam_handle, PAM_SILENT); sshpam_session_open = 0; } - sshpam_authenticated = sshpam_new_authtok_reqd = 0; + sshpam_authenticated = 0; pam_end(sshpam_handle, sshpam_err); sshpam_handle = NULL; } @@ -511,6 +511,8 @@ sshpam_init_ctx(Authctxt *authctxt) ctxt = xmalloc(sizeof *ctxt); memset(ctxt, 0, sizeof(*ctxt)); + force_pwchange = &(authctxt->force_pwchange); + /* Start the authentication thread */ if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) { error("PAM: failed create sockets: %s", strerror(errno)); @@ -744,12 +746,6 @@ do_pam_setcred(int init) pam_strerror(sshpam_handle, sshpam_err)); } -int -is_pam_password_change_required(void) -{ - return (sshpam_new_authtok_reqd); -} - static int pam_tty_conv(int n, const struct pam_message **msg, struct pam_response **resp, void *data) @@ -828,6 +824,7 @@ do_pam_chauthtok(void) void do_pam_session(void) { + debug3("PAM: opening session"); sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, (const void *)&tty_conv); if (sshpam_err != PAM_SUCCESS) @@ -864,12 +861,6 @@ do_pam_putenv(char *name, char *value) return (ret); } -void -print_pam_messages(void) -{ - /* XXX */ -} - char ** fetch_pam_child_environment(void) { diff --git a/auth-pam.h b/auth-pam.h index fd62e9534..4bc8d6955 100644 --- a/auth-pam.h +++ b/auth-pam.h @@ -1,4 +1,4 @@ -/* $Id: auth-pam.h,v 1.23 2003/11/17 10:41:42 djm Exp $ */ +/* $Id: auth-pam.h,v 1.24 2004/02/10 02:23:29 dtucker Exp $ */ /* * Copyright (c) 2000 Damien Miller. All rights reserved. @@ -37,10 +37,8 @@ u_int do_pam_account(void); void do_pam_session(void); void do_pam_set_tty(const char *); void do_pam_setcred(int ); -int is_pam_password_change_required(void); void do_pam_chauthtok(void); int do_pam_putenv(char *, char *); -void print_pam_messages(void); char ** fetch_pam_environment(void); char ** fetch_pam_child_environment(void); void free_pam_environment(char **); diff --git a/session.c b/session.c index 5742296d5..864967565 100644 --- a/session.c +++ b/session.c @@ -193,6 +193,15 @@ auth_input_request_forwarding(struct passwd * pw) return 1; } +static void +display_loginmsg(void) +{ + if (buffer_len(&loginmsg) > 0) { + buffer_append(&loginmsg, "\0", 1); + printf("%s\n", (char *)buffer_ptr(&loginmsg)); + buffer_clear(&loginmsg); + } +} void do_authenticated(Authctxt *authctxt) @@ -389,12 +398,8 @@ do_exec_no_pty(Session *s, const char *command) session_proctitle(s); #if defined(USE_PAM) - if (options.use_pam) { + if (options.use_pam) do_pam_setcred(1); - if (is_pam_password_change_required()) - packet_disconnect("Password change required but no " - "TTY available"); - } #endif /* USE_PAM */ /* Fork the child. */ @@ -698,9 +703,10 @@ do_login(Session *s, const char *command) * If password change is needed, do it now. * This needs to occur before the ~/.hushlogin check. */ - if (options.use_pam && is_pam_password_change_required()) { - print_pam_messages(); + if (options.use_pam && !use_privsep && s->authctxt->force_pwchange) { + display_loginmsg(); do_pam_chauthtok(); + s->authctxt->force_pwchange = 0; /* XXX - signal [net] parent to enable forwardings */ } #endif @@ -708,17 +714,7 @@ do_login(Session *s, const char *command) if (check_quietlogin(s, command)) return; -#ifdef USE_PAM - if (options.use_pam && !is_pam_password_change_required()) - print_pam_messages(); -#endif /* USE_PAM */ - - /* display post-login message */ - if (buffer_len(&loginmsg) > 0) { - buffer_append(&loginmsg, "\0", 1); - printf("%s\n", (char *)buffer_ptr(&loginmsg)); - } - buffer_free(&loginmsg); + display_loginmsg(); #ifndef NO_SSH_LASTLOG if (options.print_lastlog && s->last_login_time != 0) {