tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

- (dtucker) [auth-pam.c auth-pam.h session.c] Bug #14: Use do_pwchange to 

change expired PAM passwords for SSHv1 connections without privsep.
   pam_chauthtok is still used when privsep is disabled.  ok djm@
This commit is contained in:
Darren Tucker 2004-02-10 13:23:28 +11:00
parent ffae532076
commit 1921ed9f96
4 changed files with 29 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ChangeLog
View File

@ -7,6 +7,9 @@
change for platforms using /etc/shadow. ok djm@ change for platforms using /etc/shadow. ok djm@
- (dtucker) [openbsd-compat/fake-rfc2553.h] Bug #563: Prepend ssh_ to compat - (dtucker) [openbsd-compat/fake-rfc2553.h] Bug #563: Prepend ssh_ to compat
functions to avoid conflicts with Heimdal's libroken. ok djm@ functions to avoid conflicts with Heimdal's libroken. ok djm@
- (dtucker) [auth-pam.c auth-pam.h session.c] Bug #14: Use do_pwchange to
change expired PAM passwords for SSHv1 connections without privsep.
pam_chauthtok is still used when privsep is disabled. ok djm@
20040207 20040207
- (dtucker) OpenBSD CVS Sync - (dtucker) OpenBSD CVS Sync
@ -1830,4 +1833,4 @@
- Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
Report from murple@murple.net, diagnosis from dtucker@zip.com.au Report from murple@murple.net, diagnosis from dtucker@zip.com.au
$Id: ChangeLog,v 1.3220 2004/02/10 02:05:40 dtucker Exp $ $Id: ChangeLog,v 1.3221 2004/02/10 02:23:28 dtucker Exp $

29
auth-pam.c
View File

@ -31,7 +31,7 @@
/* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
#include "includes.h" #include "includes.h"
RCSID("$Id: auth-pam.c,v 1.92 2004/01/14 13:15:08 dtucker Exp $"); RCSID("$Id: auth-pam.c,v 1.93 2004/02/10 02:23:29 dtucker Exp $");
#ifdef USE_PAM #ifdef USE_PAM
#if defined(HAVE_SECURITY_PAM_APPL_H) #if defined(HAVE_SECURITY_PAM_APPL_H)
@ -155,11 +155,11 @@ pthread_join(sp_pthread_t thread, void **value __unused)
static pam_handle_t *sshpam_handle = NULL; static pam_handle_t *sshpam_handle = NULL;
static int sshpam_err = 0; static int sshpam_err = 0;
static int sshpam_authenticated = 0; static int sshpam_authenticated = 0;
static int sshpam_new_authtok_reqd = 0;
static int sshpam_session_open = 0; static int sshpam_session_open = 0;
static int sshpam_cred_established = 0; static int sshpam_cred_established = 0;
static int sshpam_account_status = -1; static int sshpam_account_status = -1;
static char **sshpam_env = NULL; static char **sshpam_env = NULL;
static int *force_pwchange;
/* Some PAM implementations don't implement this */ /* Some PAM implementations don't implement this */
#ifndef HAVE_PAM_GETENVLIST #ifndef HAVE_PAM_GETENVLIST
@ -179,7 +179,7 @@ void
pam_password_change_required(int reqd) pam_password_change_required(int reqd)
{ {
debug3("%s %d", __func__, reqd); debug3("%s %d", __func__, reqd);
sshpam_new_authtok_reqd = reqd; *force_pwchange = reqd;
if (reqd) { if (reqd) {
no_port_forwarding_flag |= 2; no_port_forwarding_flag |= 2;
no_agent_forwarding_flag |= 2; no_agent_forwarding_flag |= 2;
@ -188,9 +188,9 @@ pam_password_change_required(int reqd)
no_port_forwarding_flag &= ~2; no_port_forwarding_flag &= ~2;
no_agent_forwarding_flag &= ~2; no_agent_forwarding_flag &= ~2;
no_x11_forwarding_flag &= ~2; no_x11_forwarding_flag &= ~2;
} }
} }
/* Import regular and PAM environment from subprocess */ /* Import regular and PAM environment from subprocess */
static void static void
import_environments(Buffer *b) import_environments(Buffer *b)
@ -348,7 +348,7 @@ sshpam_thread(void *ctxtp)
if (compat20) { if (compat20) {
if (!do_pam_account()) if (!do_pam_account())
goto auth_fail; goto auth_fail;
if (sshpam_new_authtok_reqd) { if (*force_pwchange) {
sshpam_err = pam_chauthtok(sshpam_handle, sshpam_err = pam_chauthtok(sshpam_handle,
PAM_CHANGE_EXPIRED_AUTHTOK); PAM_CHANGE_EXPIRED_AUTHTOK);
if (sshpam_err != PAM_SUCCESS) if (sshpam_err != PAM_SUCCESS)
@ -362,7 +362,7 @@ sshpam_thread(void *ctxtp)
#ifndef USE_POSIX_THREADS #ifndef USE_POSIX_THREADS
/* Export variables set by do_pam_account */ /* Export variables set by do_pam_account */
buffer_put_int(&buffer, sshpam_account_status); buffer_put_int(&buffer, sshpam_account_status);
buffer_put_int(&buffer, sshpam_new_authtok_reqd); buffer_put_int(&buffer, *force_pwchange);
/* Export any environment strings set in child */ /* Export any environment strings set in child */
for(i = 0; environ[i] != NULL; i++) for(i = 0; environ[i] != NULL; i++)
@ -437,7 +437,7 @@ sshpam_cleanup(void)
pam_close_session(sshpam_handle, PAM_SILENT); pam_close_session(sshpam_handle, PAM_SILENT);
sshpam_session_open = 0; sshpam_session_open = 0;
} }
sshpam_authenticated = sshpam_new_authtok_reqd = 0; sshpam_authenticated = 0;
pam_end(sshpam_handle, sshpam_err); pam_end(sshpam_handle, sshpam_err);
sshpam_handle = NULL; sshpam_handle = NULL;
} }
@ -511,6 +511,8 @@ sshpam_init_ctx(Authctxt *authctxt)
ctxt = xmalloc(sizeof *ctxt); ctxt = xmalloc(sizeof *ctxt);
memset(ctxt, 0, sizeof(*ctxt)); memset(ctxt, 0, sizeof(*ctxt));
force_pwchange = &(authctxt->force_pwchange);
/* Start the authentication thread */ /* Start the authentication thread */
if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) { if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) {
error("PAM: failed create sockets: %s", strerror(errno)); error("PAM: failed create sockets: %s", strerror(errno));
@ -744,12 +746,6 @@ do_pam_setcred(int init)
pam_strerror(sshpam_handle, sshpam_err)); pam_strerror(sshpam_handle, sshpam_err));
} }
int
is_pam_password_change_required(void)
{
return (sshpam_new_authtok_reqd);
}
static int static int
pam_tty_conv(int n, const struct pam_message **msg, pam_tty_conv(int n, const struct pam_message **msg,
struct pam_response **resp, void *data) struct pam_response **resp, void *data)
@ -828,6 +824,7 @@ do_pam_chauthtok(void)
void void
do_pam_session(void) do_pam_session(void)
{ {
debug3("PAM: opening session");
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
(const void *)&tty_conv); (const void *)&tty_conv);
if (sshpam_err != PAM_SUCCESS) if (sshpam_err != PAM_SUCCESS)
@ -864,12 +861,6 @@ do_pam_putenv(char *name, char *value)
return (ret); return (ret);
} }
void
print_pam_messages(void)
{
/* XXX */
}
char ** char **
fetch_pam_child_environment(void) fetch_pam_child_environment(void)
{ {

4
auth-pam.h
View File

@ -1,4 +1,4 @@
/* $Id: auth-pam.h,v 1.23 2003/11/17 10:41:42 djm Exp $ */ /* $Id: auth-pam.h,v 1.24 2004/02/10 02:23:29 dtucker Exp $ */
/* /*
* Copyright (c) 2000 Damien Miller. All rights reserved. * Copyright (c) 2000 Damien Miller. All rights reserved.
@ -37,10 +37,8 @@ u_int do_pam_account(void);
void do_pam_session(void); void do_pam_session(void);
void do_pam_set_tty(const char *); void do_pam_set_tty(const char *);
void do_pam_setcred(int ); void do_pam_setcred(int );
int is_pam_password_change_required(void);
void do_pam_chauthtok(void); void do_pam_chauthtok(void);
int do_pam_putenv(char *, char *); int do_pam_putenv(char *, char *);
void print_pam_messages(void);
char ** fetch_pam_environment(void); char ** fetch_pam_environment(void);
char ** fetch_pam_child_environment(void); char ** fetch_pam_child_environment(void);
void free_pam_environment(char **); void free_pam_environment(char **);

32
session.c
View File

@ -193,6 +193,15 @@ auth_input_request_forwarding(struct passwd * pw)
return 1; return 1;
} }
static void
display_loginmsg(void)
{
if (buffer_len(&loginmsg) > 0) {
buffer_append(&loginmsg, "\0", 1);
printf("%s\n", (char *)buffer_ptr(&loginmsg));
buffer_clear(&loginmsg);
}
}
void void
do_authenticated(Authctxt *authctxt) do_authenticated(Authctxt *authctxt)
@ -389,12 +398,8 @@ do_exec_no_pty(Session *s, const char *command)
session_proctitle(s); session_proctitle(s);
#if defined(USE_PAM) #if defined(USE_PAM)
if (options.use_pam) { if (options.use_pam)
do_pam_setcred(1); do_pam_setcred(1);
if (is_pam_password_change_required())
packet_disconnect("Password change required but no "
"TTY available");
}
#endif /* USE_PAM */ #endif /* USE_PAM */
/* Fork the child. */ /* Fork the child. */
@ -698,9 +703,10 @@ do_login(Session *s, const char *command)
* If password change is needed, do it now. * If password change is needed, do it now.
* This needs to occur before the ~/.hushlogin check. * This needs to occur before the ~/.hushlogin check.
*/ */
if (options.use_pam && is_pam_password_change_required()) { if (options.use_pam && !use_privsep && s->authctxt->force_pwchange) {
print_pam_messages(); display_loginmsg();
do_pam_chauthtok(); do_pam_chauthtok();
s->authctxt->force_pwchange = 0;
/* XXX - signal [net] parent to enable forwardings */ /* XXX - signal [net] parent to enable forwardings */
} }
#endif #endif
@ -708,17 +714,7 @@ do_login(Session *s, const char *command)
if (check_quietlogin(s, command)) if (check_quietlogin(s, command))
return; return;
#ifdef USE_PAM display_loginmsg();
if (options.use_pam && !is_pam_password_change_required())
print_pam_messages();
#endif /* USE_PAM */
/* display post-login message */
if (buffer_len(&loginmsg) > 0) {
buffer_append(&loginmsg, "\0", 1);
printf("%s\n", (char *)buffer_ptr(&loginmsg));
}
buffer_free(&loginmsg);
#ifndef NO_SSH_LASTLOG #ifndef NO_SSH_LASTLOG
if (options.print_lastlog && s->last_login_time != 0) { if (options.print_lastlog && s->last_login_time != 0) {