Darren Tucker
2003-Nov-13 10:01 UTC
[PATCH] Perform do_pam_chauthtok via SSH2 keyboard-interactive.
Hi All. Attached is a patch to perform pam_chauthtok via SSH2 keyboard-interactive. It should be simpler, but since Solaris seems to ignore the CHANGE_EXPIRED_AUTHTOK flag, it calls do_pam_account to check if it's expired. To minimise the change in behaviour, it also caches the result so pam_acct_mgmt still only gets called once. This doesn't seem to work on AIX 5.2, I don't know why. Works OK for me on Redhat, Solaris & HP-UX. I'm interested in reports of success or otherwise. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: acconfig.h ==================================================================RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/acconfig.h,v retrieving revision 1.168 diff -u -p -r1.168 acconfig.h --- acconfig.h 15 Oct 2003 06:57:57 -0000 1.168 +++ acconfig.h 13 Nov 2003 09:02:50 -0000 @@ -424,6 +424,9 @@ /* Define if HEADER.ad exists in arpa/nameser.h */ #undef HAVE_HEADER_AD +/* Define to disable pam_chauthtok via keyboard-interactive authentication */ +#undef DISABLE_KBDINT_CHAUTHTOK + @BOTTOM@ /* ******************* Shouldn't need to edit below this line ************** */ Index: auth-pam.c ==================================================================RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.c,v retrieving revision 1.78 diff -u -p -r1.78 auth-pam.c --- auth-pam.c 13 Nov 2003 08:52:31 -0000 1.78 +++ auth-pam.c 13 Nov 2003 09:02:24 -0000 @@ -52,6 +52,8 @@ RCSID("$Id: auth-pam.c,v 1.78 2003/11/13 #include "auth-options.h" extern ServerOptions options; +extern Buffer loginmsg; +extern int compat20; #define __unused @@ -117,6 +119,7 @@ static int sshpam_authenticated = 0; static int sshpam_new_authtok_reqd = 0; static int sshpam_session_open = 0; static int sshpam_cred_established = 0; +static int sshpam_account_status = -1; struct pam_ctxt { sp_pthread_t pam_thread; @@ -231,6 +234,17 @@ sshpam_thread(void *ctxtp) sshpam_err = pam_authenticate(sshpam_handle, 0); if (sshpam_err != PAM_SUCCESS) goto auth_fail; +#ifndef DISABLE_KBDINT_CHAUTHTOK + if (compat20) { + if (do_pam_account() && sshpam_new_authtok_reqd) { + sshpam_err = pam_chauthtok(sshpam_handle, + PAM_CHANGE_EXPIRED_AUTHTOK); + if (sshpam_err != PAM_SUCCESS) + goto auth_fail; + sshpam_new_authtok_reqd = 0; /* XXX: reset fwd flags */ + } + } +#endif buffer_put_cstring(&buffer, "OK"); ssh_msg_send(ctxt->pam_csock, sshpam_err, &buffer); buffer_free(&buffer); @@ -532,11 +546,16 @@ finish_pam(void) u_int do_pam_account(void) { + if (sshpam_account_status != -1) + return (sshpam_account_status); + sshpam_err = pam_acct_mgmt(sshpam_handle, 0); debug3("%s: pam_acct_mgmt = %d", __func__, sshpam_err); - if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) - return (0); + if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) { + sshpam_account_status = 0; + return (sshpam_account_status); + } if (sshpam_err == PAM_NEW_AUTHTOK_REQD) { sshpam_new_authtok_reqd = 1; @@ -547,7 +566,8 @@ do_pam_account(void) no_x11_forwarding_flag |= 2; } - return (1); + sshpam_account_status = 1; + return (sshpam_account_status); } void Index: configure.ac ==================================================================RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/configure.ac,v retrieving revision 1.173 diff -u -p -r1.173 configure.ac --- configure.ac 15 Oct 2003 06:57:57 -0000 1.173 +++ configure.ac 13 Nov 2003 09:00:50 -0000 @@ -105,6 +105,7 @@ case "$host" in AC_DEFINE(DISABLE_LASTLOG) AC_DEFINE(LOGIN_NEEDS_UTMPX) AC_DEFINE(SPT_TYPE,SPT_REUSEARGV) + AC_DEFINE(DISABLE_KBDINT_CHAUTHTOK) ;; *-*-cygwin*) check_for_libcrypt_later=1