Regarding PAM_TTY_KLUDGE and Solaris 8...
Damien Miller
djm at mindrot.org
Fri Oct 26 11:33:16 EST 2001
On Thu, 25 Oct 2001, Ed Phillips wrote:
> However, I think a change should be made so that pam_chauthtok() is not
> called if we don't have a real TTY.
> Is there anything I'm missing?
The fact that pam_chauthtok was never getting called without a tty
anyway. Look at the code path in session.c. The do_pam_chauthtok() call
was only being made for the tty case.
If there is a problem, it is that accounts with expired passwords were
still able to execute commands. Please try the patch below for this.
Index: session.c
===================================================================
RCS file: /var/cvs/openssh/session.c,v
retrieving revision 1.154
diff -u -r1.154 session.c
--- session.c 2001/10/12 01:35:51 1.154
+++ session.c 2001/10/26 01:30:29
@@ -432,6 +432,9 @@
#if defined(USE_PAM)
do_pam_session(s->pw->pw_name, NULL);
do_pam_setcred(1);
+ if (is_pam_password_change_required())
+ packet_disconnect("Password change required but no "
+ "TTY available");
#endif /* USE_PAM */
/* Fork the child. */
--
| By convention there is color, \\ Damien Miller <djm at mindrot.org>
| By convention sweetness, By convention bitterness, \\ www.mindrot.org
| But in reality there are atoms and space - Democritus (c. 400 BCE)
More information about the openssh-unix-dev
mailing list