[PATCH] Perform do_pam_chauthtok via SSH2 keyboard-interactive.

[Darren Tucker]

Hi All.

	Attached is a patch to perform pam_chauthtok via SSH2
keyboard-interactive.  It should be simpler, but since Solaris seems to
ignore the CHANGE_EXPIRED_AUTHTOK flag, it calls do_pam_account to check
if it's expired.  To minimise the change in behaviour, it also caches the
result so pam_acct_mgmt still only gets called once.

	This doesn't seem to work on AIX 5.2, I don't know why.  Works OK for me
on Redhat, Solaris & HP-UX.  I'm interested in reports of success or
otherwise.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
-------------- next part --------------
Index: acconfig.h
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/acconfig.h,v
retrieving revision 1.168
diff -u -p -r1.168 acconfig.h
--- acconfig.h	15 Oct 2003 06:57:57 -0000	1.168
+++ acconfig.h	13 Nov 2003 09:02:50 -0000
@@ -424,6 +424,9 @@
 /* Define if HEADER.ad exists in arpa/nameser.h */
 #undef HAVE_HEADER_AD
 
+/* Define to disable pam_chauthtok via keyboard-interactive authentication */
+#undef DISABLE_KBDINT_CHAUTHTOK
+
 @BOTTOM@
 
 /* ******************* Shouldn't need to edit below this line ************** */
Index: auth-pam.c
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.c,v
retrieving revision 1.78
diff -u -p -r1.78 auth-pam.c
--- auth-pam.c	13 Nov 2003 08:52:31 -0000	1.78
+++ auth-pam.c	13 Nov 2003 09:02:24 -0000
@@ -52,6 +52,8 @@ RCSID("$Id: auth-pam.c,v 1.78 2003/11/13
 #include "auth-options.h"
 
 extern ServerOptions options;
+extern Buffer loginmsg;
+extern int compat20;
 
 #define __unused
 
@@ -117,6 +119,7 @@ static int sshpam_authenticated = 0;
 static int sshpam_new_authtok_reqd = 0;
 static int sshpam_session_open = 0;
 static int sshpam_cred_established = 0;
+static int sshpam_account_status = -1;
 
 struct pam_ctxt {
 	sp_pthread_t	 pam_thread;
@@ -231,6 +234,17 @@ sshpam_thread(void *ctxtp)
 	sshpam_err = pam_authenticate(sshpam_handle, 0);
 	if (sshpam_err != PAM_SUCCESS)
 		goto auth_fail;
+#ifndef DISABLE_KBDINT_CHAUTHTOK
+	if (compat20) {
+		if (do_pam_account() && sshpam_new_authtok_reqd) {
+			sshpam_err = pam_chauthtok(sshpam_handle,
+			    PAM_CHANGE_EXPIRED_AUTHTOK);
+			if (sshpam_err != PAM_SUCCESS)
+				goto auth_fail;
+			sshpam_new_authtok_reqd = 0; /* XXX: reset fwd flags */
+		}
+	}
+#endif
 	buffer_put_cstring(&buffer, "OK");
 	ssh_msg_send(ctxt->pam_csock, sshpam_err, &buffer);
 	buffer_free(&buffer);
@@ -532,11 +546,16 @@ finish_pam(void)
 u_int
 do_pam_account(void)
 {
+	if (sshpam_account_status != -1)
+		return (sshpam_account_status);
+
 	sshpam_err = pam_acct_mgmt(sshpam_handle, 0);
 	debug3("%s: pam_acct_mgmt = %d", __func__, sshpam_err);
 	
-	if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD)
-		return (0);
+	if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) {
+		sshpam_account_status = 0;
+		return (sshpam_account_status);
+	}
 
 	if (sshpam_err == PAM_NEW_AUTHTOK_REQD) {
 		sshpam_new_authtok_reqd = 1;
@@ -547,7 +566,8 @@ do_pam_account(void)
 		no_x11_forwarding_flag |= 2;
 	}
 
-	return (1);
+	sshpam_account_status = 1;
+	return (sshpam_account_status);
 }
 
 void
Index: configure.ac
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/configure.ac,v
retrieving revision 1.173
diff -u -p -r1.173 configure.ac
--- configure.ac	15 Oct 2003 06:57:57 -0000	1.173
+++ configure.ac	13 Nov 2003 09:00:50 -0000
@@ -105,6 +105,7 @@ case "$host" in
 	AC_DEFINE(DISABLE_LASTLOG)
 	AC_DEFINE(LOGIN_NEEDS_UTMPX)
 	AC_DEFINE(SPT_TYPE,SPT_REUSEARGV)
+	AC_DEFINE(DISABLE_KBDINT_CHAUTHTOK)
 	;;
 *-*-cygwin*)
 	check_for_libcrypt_later=1