summaryrefslogtreecommitdiff
path: root/auth-pam.c
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2000-05-31 11:20:11 +1000
committerDamien Miller <djm@mindrot.org>2000-05-31 11:20:11 +1000
commit2f6a0ad191af2e0e67c66bdc5dfc84d9a97bf12c (patch)
tree3b25cc3ba9ed2ae288e33ee8dee5042cc4734020 /auth-pam.c
parent03934f2eefc991f2a0be253be8869cf8f39758bc (diff)
- Cleanup of auth.c, login.c and fake-*
- Cleanup of auth-pam.c, save and print "account expired" error messages
Diffstat (limited to 'auth-pam.c')
-rw-r--r--auth-pam.c113
1 files changed, 70 insertions, 43 deletions
diff --git a/auth-pam.c b/auth-pam.c
index e3f4c425..174d289f 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -13,12 +13,16 @@
#include "xmalloc.h"
#include "servconf.h"
-RCSID("$Id: auth-pam.c,v 1.4 2000/04/29 14:47:29 damien Exp $");
+RCSID("$Id: auth-pam.c,v 1.5 2000/05/31 01:20:12 damien Exp $");
+
+#define NEW_AUTHTOK_MSG \
+ "Warning: You password has expired, please change it now"
/* Callbacks */
static int pamconv(int num_msg, const struct pam_message **msg,
struct pam_response **resp, void *appdata_ptr);
void pam_cleanup_proc(void *context);
+void pam_msg_cat(const char *msg);
/* module-local variables */
static struct pam_conv conv = {
@@ -27,7 +31,7 @@ static struct pam_conv conv = {
};
static struct pam_handle_t *pamh = NULL;
static const char *pampasswd = NULL;
-static char *pamconv_msg = NULL;
+static char *pam_msg = NULL;
/* PAM conversation function. This is really a kludge to get the password */
/* into PAM and to pick up any messages generated by PAM into pamconv_msg */
@@ -36,8 +40,6 @@ static int pamconv(int num_msg, const struct pam_message **msg,
{
struct pam_response *reply;
int count;
- size_t msg_len;
- char *p;
/* PAM will free this later */
reply = malloc(num_msg * sizeof(*reply));
@@ -54,31 +56,14 @@ static int pamconv(int num_msg, const struct pam_message **msg,
reply[count].resp_retcode = PAM_SUCCESS;
reply[count].resp = xstrdup(pampasswd);
break;
-
case PAM_TEXT_INFO:
reply[count].resp_retcode = PAM_SUCCESS;
reply[count].resp = xstrdup("");
- if (msg[count]->msg == NULL)
- break;
+ if (msg[count]->msg != NULL)
+ pam_msg_cat(msg[count]->msg);
- debug("Adding PAM message: %s", msg[count]->msg);
-
- msg_len = strlen(msg[count]->msg);
- if (pamconv_msg) {
- size_t n = strlen(pamconv_msg);
- pamconv_msg = xrealloc(pamconv_msg, n + msg_len + 2);
- p = pamconv_msg + n;
- } else {
- pamconv_msg = p = xmalloc(msg_len + 2);
- }
- memcpy(p, msg[count]->msg, msg_len);
- p[msg_len] = '\n';
- p[msg_len + 1] = '\0';
break;
-
- case PAM_PROMPT_ECHO_ON:
- case PAM_ERROR_MSG:
default:
free(reply);
return PAM_CONV_ERR;
@@ -100,19 +85,19 @@ void pam_cleanup_proc(void *context)
pam_retval = pam_close_session((pam_handle_t *)pamh, 0);
if (pam_retval != PAM_SUCCESS) {
log("Cannot close PAM session: %.200s",
- PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
+ PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
}
pam_retval = pam_setcred((pam_handle_t *)pamh, PAM_DELETE_CRED);
if (pam_retval != PAM_SUCCESS) {
log("Cannot delete credentials: %.200s",
- PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
+ PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
}
pam_retval = pam_end((pam_handle_t *)pamh, pam_retval);
if (pam_retval != PAM_SUCCESS) {
log("Cannot release PAM authentication: %.200s",
- PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
+ PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
}
}
}
@@ -135,7 +120,8 @@ int auth_pam_password(struct passwd *pw, const char *password)
pam_retval = pam_authenticate((pam_handle_t *)pamh, 0);
if (pam_retval == PAM_SUCCESS) {
- debug("PAM Password authentication accepted for user \"%.100s\"", pw->pw_name);
+ debug("PAM Password authentication accepted for user \"%.100s\"",
+ pw->pw_name);
return 1;
} else {
debug("PAM Password authentication for \"%.100s\" failed: %s",
@@ -148,26 +134,36 @@ int auth_pam_password(struct passwd *pw, const char *password)
int do_pam_account(char *username, char *remote_user)
{
int pam_retval;
-
+
debug("PAM setting rhost to \"%.200s\"", get_canonical_hostname());
pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RHOST,
get_canonical_hostname());
if (pam_retval != PAM_SUCCESS) {
- fatal("PAM set rhost failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
+ fatal("PAM set rhost failed: %.200s",
+ PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
}
if (remote_user != NULL) {
debug("PAM setting ruser to \"%.200s\"", remote_user);
pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RUSER, remote_user);
if (pam_retval != PAM_SUCCESS) {
- fatal("PAM set ruser failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
+ fatal("PAM set ruser failed: %.200s",
+ PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
}
}
pam_retval = pam_acct_mgmt((pam_handle_t *)pamh, 0);
- if (pam_retval != PAM_SUCCESS) {
- log("PAM rejected by account configuration: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
- return(0);
+ switch (pam_retval) {
+ case PAM_SUCCESS:
+ /* This is what we want */
+ break;
+ case PAM_NEW_AUTHTOK_REQD:
+ pam_msg_cat(NEW_AUTHTOK_MSG);
+ break;
+ default:
+ log("PAM rejected by account configuration: %.200s",
+ PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
+ return(0);
}
return(1);
@@ -181,13 +177,17 @@ void do_pam_session(char *username, const char *ttyname)
if (ttyname != NULL) {
debug("PAM setting tty to \"%.200s\"", ttyname);
pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_TTY, ttyname);
- if (pam_retval != PAM_SUCCESS)
- fatal("PAM set tty failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
+ if (pam_retval != PAM_SUCCESS) {
+ fatal("PAM set tty failed: %.200s",
+ PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
+ }
}
pam_retval = pam_open_session((pam_handle_t *)pamh, 0);
- if (pam_retval != PAM_SUCCESS)
- fatal("PAM session setup failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
+ if (pam_retval != PAM_SUCCESS) {
+ fatal("PAM session setup failed: %.200s",
+ PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
+ }
}
/* Set PAM credentials */
@@ -197,8 +197,10 @@ void do_pam_setcred()
debug("PAM establishing creds");
pam_retval = pam_setcred((pam_handle_t *)pamh, PAM_ESTABLISH_CRED);
- if (pam_retval != PAM_SUCCESS)
- fatal("PAM setcred failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
+ if (pam_retval != PAM_SUCCESS) {
+ fatal("PAM setcred failed: %.200s",
+ PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
+ }
}
/* Cleanly shutdown PAM */
@@ -217,9 +219,12 @@ void start_pam(struct passwd *pw)
pam_retval = pam_start(SSHD_PAM_SERVICE, pw->pw_name, &conv,
(pam_handle_t**)&pamh);
- if (pam_retval != PAM_SUCCESS)
- fatal("PAM initialisation failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
+ if (pam_retval != PAM_SUCCESS) {
+ fatal("PAM initialisation failed: %.200s",
+ PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
+ }
+
fatal_add_cleanup(&pam_cleanup_proc, NULL);
}
@@ -237,8 +242,30 @@ char **fetch_pam_environment(void)
/* or account checking to stderr */
void print_pam_messages(void)
{
- if (pamconv_msg != NULL)
- fprintf(stderr, pamconv_msg);
+ if (pam_msg != NULL)
+ fprintf(stderr, pam_msg);
+}
+
+/* Append a message to the PAM message buffer */
+void pam_msg_cat(const char *msg)
+{
+ char *p;
+ size_t new_msg_len;
+ size_t pam_msg_len;
+
+ new_msg_len = strlen(msg);
+
+ if (pam_msg) {
+ pam_msg_len = strlen(pam_msg);
+ pam_msg = xrealloc(pam_msg, new_msg_len + pam_msg_len + 2);
+ p = pam_msg + pam_msg_len;
+ } else {
+ pam_msg = p = xmalloc(new_msg_len + 2);
+ }
+
+ memcpy(p, msg, new_msg_len);
+ p[new_msg_len] = '\n';
+ p[new_msg_len + 1] = '\0';
}
#endif /* USE_PAM */