summaryrefslogtreecommitdiff
path: root/auth-pam.c
diff options
context:
space:
mode:
Diffstat (limited to 'auth-pam.c')
-rw-r--r--auth-pam.c47
1 files changed, 35 insertions, 12 deletions
diff --git a/auth-pam.c b/auth-pam.c
index bc8e5e02d834..de29c04c9c81 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -106,7 +106,6 @@ extern char *__progname;
extern ServerOptions options;
extern Buffer loginmsg;
-extern int compat20;
extern u_int utmp_len;
/* so we don't silently change behaviour */
@@ -468,18 +467,16 @@ sshpam_thread(void *ctxtp)
if (sshpam_err != PAM_SUCCESS)
goto auth_fail;
- if (compat20) {
- if (!do_pam_account()) {
- sshpam_err = PAM_ACCT_EXPIRED;
+ if (!do_pam_account()) {
+ sshpam_err = PAM_ACCT_EXPIRED;
+ goto auth_fail;
+ }
+ if (sshpam_authctxt->force_pwchange) {
+ sshpam_err = pam_chauthtok(sshpam_handle,
+ PAM_CHANGE_EXPIRED_AUTHTOK);
+ if (sshpam_err != PAM_SUCCESS)
goto auth_fail;
- }
- if (sshpam_authctxt->force_pwchange) {
- sshpam_err = pam_chauthtok(sshpam_handle,
- PAM_CHANGE_EXPIRED_AUTHTOK);
- if (sshpam_err != PAM_SUCCESS)
- goto auth_fail;
- sshpam_password_change_required(0);
- }
+ sshpam_password_change_required(0);
}
buffer_put_cstring(&buffer, "OK");
@@ -929,6 +926,27 @@ finish_pam(void)
sshpam_cleanup();
}
+static void
+expose_authinfo(const char *caller)
+{
+ char *auth_info;
+
+ /*
+ * Expose authentication information to PAM.
+ * The enviornment variable is versioned. Please increment the
+ * version suffix if the format of session_info changes.
+ */
+ if (sshpam_authctxt->session_info == NULL)
+ auth_info = xstrdup("");
+ else if ((auth_info = sshbuf_dup_string(
+ sshpam_authctxt->session_info)) == NULL)
+ fatal("%s: sshbuf_dup_string failed", __func__);
+
+ debug2("%s: auth information in SSH_AUTH_INFO_0", caller);
+ do_pam_putenv("SSH_AUTH_INFO_0", auth_info);
+ free(auth_info);
+}
+
u_int
do_pam_account(void)
{
@@ -936,6 +954,8 @@ do_pam_account(void)
if (sshpam_account_status != -1)
return (sshpam_account_status);
+ expose_authinfo(__func__);
+
sshpam_err = pam_acct_mgmt(sshpam_handle, 0);
debug3("PAM: %s pam_acct_mgmt = %d (%s)", __func__, sshpam_err,
pam_strerror(sshpam_handle, sshpam_err));
@@ -1060,6 +1080,9 @@ void
do_pam_session(void)
{
debug3("PAM: opening session");
+
+ expose_authinfo(__func__);
+
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
(const void *)&store_conv);
if (sshpam_err != PAM_SUCCESS)
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-08 00:50:30 +0000