search for: no_agent_forwarding_flag

...0; +static int sshpam_account_status = -1; static char **sshpam_env = NULL; struct pam_ctxt { @@ -144,6 +146,21 @@ pam_getenvlist(pam_handle_t *pamh) } #endif +void +pam_password_change_required(int reqd) +{ + sshpam_new_authtok_reqd = reqd; + if (reqd) { + no_port_forwarding_flag |= 2; + no_agent_forwarding_flag |= 2; + no_x11_forwarding_flag |= 2; + } else { + no_port_forwarding_flag &= ~2; + no_agent_forwarding_flag &= ~2; + no_x11_forwarding_flag &= ~2; + + } +} /* Import regular and PAM environment from subprocess */ static void import_environments(Buffer *b) @@ -152,6 +169,13 @@ imp...

...ion; - } - if (options.allow_tcp_forwarding) - channel_add_permitted_opens(host, port); xfree(patterns); goto next_option; } --- auth-pam.c 28 Jan 2003 18:06:51 -0000 1.1.1.2 +++ auth-pam.c 29 Jan 2003 20:39:19 -0000 1.2 @@ -358,7 +360,7 @@ no_port_forwarding_flag &= ~2; no_agent_forwarding_flag &= ~2; no_x11_forwarding_flag &= ~2; - if (!no_port_forwarding_flag && options.allow_tcp_forwarding) + if (!auth_restricted(RESTRICT_TCP, auth_get_user())) channel_permit_all_opens(); #endif } --- auth.c 28 Jan 2003 18:06:51 -0000 1.1.1.2 +++ auth.c 29 Jan 2003 21:26:11...

Hi, sorry if it is the wrong approuch to suggest improvments to OpenSSH, but here comes my suggestion: I recently stumbled upon the scponly shell which in it's chroot:ed form is an ideal solution when you want to share some files with people you trust more or less. The problem is, if you use the scponlyc as shell, port forwarding is still allowed. This can of course be dissallowed in

...message_cat(&__pam_msg, use_privsep ? - NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG); + message_cat(&__pam_msg, NEW_AUTHTOK_MSG); /* flag that password change is necessary */ password_change_required = 1; /* disallow other functionality for now */ @@ -267,7 +266,6 @@ no_agent_forwarding_flag |= 2; no_x11_forwarding_flag |= 2; break; -#endif default: log("PAM rejected by account configuration[%d]: " "%.200s", pam_retval, PAM_STRERROR(__pamh, @@ -301,6 +299,18 @@ session_opened = 1; } +/* Set the TTY after session is open */ +void do_pam_s...

...ACHED */ + } +} + +/* + * flag that password change is necessary and disable all forwarding + */ +void +flag_password_change_required(void) +{ + debug3("disabling forwarding"); + password_change_required = 1; + + /* disallow other functionality for now */ + no_port_forwarding_flag |= 2; + no_agent_forwarding_flag |= 2; + no_x11_forwarding_flag |= 2; +} + +/* + * Flags that password change was successful. + * XXX: the password change is performed in the process that becomes the + * shell, but the flags must be reset in its parent and currently there is no + * way to notify the parent that the change was succ...

...ACHED */ + } +} + +/* + * flag that password change is necessary and disable all forwarding + */ +void +flag_password_change_required(void) +{ + debug3("disabling forwarding"); + password_change_required = 1; + + /* disallow other functionality for now */ + no_port_forwarding_flag |= 2; + no_agent_forwarding_flag |= 2; + no_x11_forwarding_flag |= 2; +} + +/* + * Flags that password change was successful. + * XXX: the password change is performed in the process that becomes the + * shell, but the flags must be reset in its parent and currently there is no + * way to notify the parent that the change was succ...

...hat 8 (without PAM) AIX 4.3.3 Solaris 8 (without PAM) HP-UX 11.0 (trusted configuration, with PAM) I'm confused about this from auth-pam.c: /* XXX: This would need to be done in the parent process, * but there's currently no way to pass such request. */ no_port_forwarding_flag &= ~2; no_agent_forwarding_flag &= ~2; no_x11_forwarding_flag &= ~2; if (!no_port_forwarding_flag && options.allow_tcp_forwarding) channel_permit_all_opens(); Isn't this all in the post-auth privsep slave? Or am I overlooking something? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9...

...am.c #if 0 case PAM_NEW_AUTHTOK_REQD: message_cat(&__pam_msg, use_privsep ? NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG); /* flag that password change is necessary */ password_change_required = 1; /* disallow other functionality for now */ no_port_forwarding_flag |= 2; no_agent_forwarding_flag |= 2; no_x11_forwarding_flag |= 2; break; #endif ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

...de? #if 0 case PAM_NEW_AUTHTOK_REQD: message_cat(&__pam_msg, use_privsep ? NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG); /* flag that password change is necessary */ password_change_required = 1; /* disallow other functionality for now */ no_port_forwarding_flag |= 2; no_agent_forwarding_flag |= 2; no_x11_forwarding_flag |= 2; break; #endif Please reply. Thanks Logsnaath. ----- End forwarded message -----

...MSG_PRIVSEP : NEW_AUTHTOK_MSG); /* flag that password change is necessary */ password_change_required = 1; /* disallow other functionality for now */ no_port_forwarding_flag |= 2; no_agent_forwarding_flag |= 2; no_x11_forwarding_flag |= 2; break; #endif default: log("PAM rejected by account configuration[%d]: " "%.200s", pam_retval, PAM_STRERROR(__pamh,...

...message_cat(&__pam_msg, use_privsep ? - NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG); + message_cat(&__pam_msg, NEW_AUTHTOK_MSG); /* flag that password change is necessary */ password_change_required = 1; /* disallow other functionality for now */ @@ -267,7 +266,6 @@ no_agent_forwarding_flag |= 2; no_x11_forwarding_flag |= 2; break; -#endif default: log("PAM rejected by account configuration[%d]: " "%.200s", pam_retval, PAM_STRERROR(__pamh, @@ -301,6 +299,18 @@ session_opened = 1; } +/* Set the TTY after session is open */ +void do_pam_s...

http://bugzilla.mindrot.org/show_bug.cgi?id=564 ------- Additional Comments From djm at mindrot.org 2003-07-30 11:48 ------- Maybe UsePAM should be a tri-state: "kbd-int", "no" or "always". This is ugly - suggestions wanted. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

...WD s->auth_proto = packet_get_string(&proto_len); s->auth_data = packet_get_string(&data_len); @@ -242,18 +255,22 @@ s->auth_proto = NULL; s->auth_data = NULL; } +#endif break; case SSH_CMSG_AGENT_REQUEST_FORWARDING: +#ifdef WITH_AGENTFWD if (no_agent_forwarding_flag || compat13) { debug("Authentication agent forwarding not permitted for this authentication."); break; } debug("Received authentication agent forwarding request."); success = auth_input_request_forwarding(s->pw); +#endif break; case SSH_CMSG_POR...