- (stevesk) [auth-pam.c] merge rest of solar's PAM patch;
PAM_NEW_AUTHTOK_REQD remains in #if 0 for now.
This commit is contained in:
Kevin Steves
parent
6cdecd0892
commit
63007d42ee
|
|
@ -1,6 +1,8 @@
|
|||
20020721
|
||||
- (stevesk) [auth-pam.c] merge cosmetic changes from solar's
|
||||
openssh-3.4p1-owl-password-changing.diff
|
||||
- (stevesk) [auth-pam.c] merge rest of solar's PAM patch;
|
||||
PAM_NEW_AUTHTOK_REQD remains in #if 0 for now.
|
||||
|
||||
20020720
|
||||
- (stevesk) [ssh-keygen.c] bug #231: always init/seed_rng().
|
||||
|
|
@ -1401,4 +1403,4 @@
|
|||
- (stevesk) entropy.c: typo in debug message
|
||||
- (djm) ssh-keygen -i needs seeded RNG; report from markus@
|
||||
|
||||
$Id: ChangeLog,v 1.2381 2002/07/21 17:26:54 stevesk Exp $
|
||||
$Id: ChangeLog,v 1.2382 2002/07/21 17:57:01 stevesk Exp $
|
||||
|
|
|
|||
26
auth-pam.c
26
auth-pam.c
|
|
@ -29,6 +29,7 @@
|
|||
#include "xmalloc.h"
|
||||
#include "log.h"
|
||||
#include "auth.h"
|
||||
#include "auth-options.h"
|
||||
#include "auth-pam.h"
|
||||
#include "servconf.h"
|
||||
#include "canohost.h"
|
||||
|
|
@ -36,10 +37,14 @@
|
|||
|
||||
extern char *__progname;
|
||||
|
||||
RCSID("$Id: auth-pam.c,v 1.48 2002/07/21 17:26:54 stevesk Exp $");
|
||||
extern int use_privsep;
|
||||
|
||||
RCSID("$Id: auth-pam.c,v 1.49 2002/07/21 17:57:01 stevesk Exp $");
|
||||
|
||||
#define NEW_AUTHTOK_MSG \
|
||||
"Warning: Your password has expired, please change it now."
|
||||
#define NEW_AUTHTOK_MSG_PRIVSEP \
|
||||
"Your password has expired, the session cannot proceed."
|
||||
|
||||
static int do_pam_conversation(int num_msg, const struct pam_message **msg,
|
||||
struct pam_response **resp, void *appdata_ptr);
|
||||
|
|
@ -254,9 +259,14 @@ int do_pam_account(char *username, char *remote_user)
|
|||
break;
|
||||
#if 0
|
||||
case PAM_NEW_AUTHTOK_REQD:
|
||||
message_cat(&__pam_msg, NEW_AUTHTOK_MSG);
|
||||
message_cat(&__pam_msg, use_privsep ?
|
||||
NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG);
|
||||
/* flag that password change is necessary */
|
||||
password_change_required = 1;
|
||||
/* disallow other functionality for now */
|
||||
no_port_forwarding_flag |= 2;
|
||||
no_agent_forwarding_flag |= 2;
|
||||
no_x11_forwarding_flag |= 2;
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
|
|
@ -335,11 +345,23 @@ void do_pam_chauthtok(void)
|
|||
do_pam_set_conv(&conv);
|
||||
|
||||
if (password_change_required) {
|
||||
if (use_privsep)
|
||||
fatal("Password changing is currently unsupported"
|
||||
" with privilege separation");
|
||||
pamstate = OTHER;
|
||||
pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
|
||||
if (pam_retval != PAM_SUCCESS)
|
||||
fatal("PAM pam_chauthtok failed[%d]: %.200s",
|
||||
pam_retval, PAM_STRERROR(__pamh, pam_retval));
|
||||
#if 0
|
||||
/* XXX: This would need to be done in the parent process,
|
||||
* but there's currently no way to pass such request. */
|
||||
no_port_forwarding_flag &= ~2;
|
||||
no_agent_forwarding_flag &= ~2;
|
||||
no_x11_forwarding_flag &= ~2;
|
||||
if (!no_port_forwarding_flag && options.allow_tcp_forwarding)
|
||||
channel_permit_all_opens();
|
||||
#endif
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue