diff options
Diffstat (limited to 'crypto/openssh/auth-pam.c')
| -rw-r--r-- | crypto/openssh/auth-pam.c | 63 |
1 files changed, 46 insertions, 17 deletions
diff --git a/crypto/openssh/auth-pam.c b/crypto/openssh/auth-pam.c index 490990dece5f..99b03f45b197 100644 --- a/crypto/openssh/auth-pam.c +++ b/crypto/openssh/auth-pam.c @@ -25,10 +25,10 @@ #include "includes.h" #ifdef USE_PAM -#include "ssh.h" #include "xmalloc.h" #include "log.h" #include "auth.h" +#include "auth-options.h" #include "auth-pam.h" #include "servconf.h" #include "canohost.h" @@ -36,17 +36,21 @@ extern char *__progname; -RCSID("$Id: auth-pam.c,v 1.46 2002/05/08 02:27:56 djm Exp $"); +extern int use_privsep; + +RCSID("$Id: auth-pam.c,v 1.54 2002/07/28 20:24:08 stevesk Exp $"); #define NEW_AUTHTOK_MSG \ - "Warning: Your password has expired, please change it now" + "Warning: Your password has expired, please change it now." +#define NEW_AUTHTOK_MSG_PRIVSEP \ + "Your password has expired, the session cannot proceed." static int do_pam_conversation(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr); /* module-local variables */ static struct pam_conv conv = { - do_pam_conversation, + (int (*)())do_pam_conversation, NULL }; static char *__pam_msg = NULL; @@ -55,7 +59,7 @@ static const char *__pampasswd = NULL; /* states for do_pam_conversation() */ enum { INITIAL_LOGIN, OTHER } pamstate = INITIAL_LOGIN; -/* remember whether pam_acct_mgmt() returned PAM_NEWAUTHTOK_REQD */ +/* remember whether pam_acct_mgmt() returned PAM_NEW_AUTHTOK_REQD */ static int password_change_required = 0; /* remember whether the last pam_authenticate() succeeded or not */ static int was_authenticated = 0; @@ -100,9 +104,7 @@ static int do_pam_conversation(int num_msg, const struct pam_message **msg, char buf[1024]; /* PAM will free this later */ - reply = malloc(num_msg * sizeof(*reply)); - if (reply == NULL) - return PAM_CONV_ERR; + reply = xmalloc(num_msg * sizeof(*reply)); for (count = 0; count < num_msg; count++) { if (pamstate == INITIAL_LOGIN) { @@ -112,11 +114,11 @@ static int do_pam_conversation(int num_msg, const struct pam_message **msg, */ switch(PAM_MSG_MEMBER(msg, count, msg_style)) { case PAM_PROMPT_ECHO_ON: - free(reply); + xfree(reply); return PAM_CONV_ERR; case PAM_PROMPT_ECHO_OFF: if (__pampasswd == NULL) { - free(reply); + xfree(reply); return PAM_CONV_ERR; } reply[count].resp = xstrdup(__pampasswd); @@ -124,7 +126,7 @@ static int do_pam_conversation(int num_msg, const struct pam_message **msg, break; case PAM_ERROR_MSG: case PAM_TEXT_INFO: - if ((*msg)[count].msg != NULL) { + if (PAM_MSG_MEMBER(msg, count, msg) != NULL) { message_cat(&__pam_msg, PAM_MSG_MEMBER(msg, count, msg)); } @@ -132,7 +134,7 @@ static int do_pam_conversation(int num_msg, const struct pam_message **msg, reply[count].resp_retcode = PAM_SUCCESS; break; default: - free(reply); + xfree(reply); return PAM_CONV_ERR; } } else { @@ -154,14 +156,14 @@ static int do_pam_conversation(int num_msg, const struct pam_message **msg, break; case PAM_ERROR_MSG: case PAM_TEXT_INFO: - if ((*msg)[count].msg != NULL) + if (PAM_MSG_MEMBER(msg, count, msg) != NULL) fprintf(stderr, "%s\n", PAM_MSG_MEMBER(msg, count, msg)); reply[count].resp = xstrdup(""); reply[count].resp_retcode = PAM_SUCCESS; break; default: - free(reply); + xfree(reply); return PAM_CONV_ERR; } } @@ -256,9 +258,14 @@ int do_pam_account(char *username, char *remote_user) break; #if 0 case PAM_NEW_AUTHTOK_REQD: - message_cat(&__pam_msg, NEW_AUTHTOK_MSG); + message_cat(&__pam_msg, use_privsep ? + NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG); /* flag that password change is necessary */ password_change_required = 1; + /* disallow other functionality for now */ + no_port_forwarding_flag |= 2; + no_agent_forwarding_flag |= 2; + no_x11_forwarding_flag |= 2; break; #endif default: @@ -328,7 +335,7 @@ int is_pam_password_change_required(void) * Have user change authentication token if pam_acct_mgmt() indicated * it was expired. This needs to be called after an interactive * session is established and the user's pty is connected to - * stdin/stout/stderr. + * stdin/stdout/stderr. */ void do_pam_chauthtok(void) { @@ -337,11 +344,23 @@ void do_pam_chauthtok(void) do_pam_set_conv(&conv); if (password_change_required) { + if (use_privsep) + fatal("Password changing is currently unsupported" + " with privilege separation"); pamstate = OTHER; pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK); if (pam_retval != PAM_SUCCESS) fatal("PAM pam_chauthtok failed[%d]: %.200s", pam_retval, PAM_STRERROR(__pamh, pam_retval)); +#if 0 + /* XXX: This would need to be done in the parent process, + * but there's currently no way to pass such request. */ + no_port_forwarding_flag &= ~2; + no_agent_forwarding_flag &= ~2; + no_x11_forwarding_flag &= ~2; + if (!no_port_forwarding_flag && options.allow_tcp_forwarding) + channel_permit_all_opens(); +#endif } } @@ -392,7 +411,7 @@ void start_pam(const char *user) fatal_add_cleanup(&do_pam_cleanup_proc, NULL); } -/* Return list of PAM enviornment strings */ +/* Return list of PAM environment strings */ char **fetch_pam_environment(void) { #ifdef HAVE_PAM_GETENVLIST @@ -402,6 +421,16 @@ char **fetch_pam_environment(void) #endif /* HAVE_PAM_GETENVLIST */ } +void free_pam_environment(char **env) +{ + int i; + + if (env != NULL) { + for (i = 0; env[i] != NULL; i++) + xfree(env[i]); + } +} + /* Print any messages that have been generated during authentication */ /* or account checking to stderr */ void print_pam_messages(void) |