[PATCH]: Call pam_chauthtok from keyboard-interactive.

Mon Oct 13 10:13:01 EST 2003

Darren Tucker wrote:
>         This patch calls pam_chauthtok() to change an expired password via PAM
> during keyboard-interactive authentication (SSHv2 only).  It is tested on
> Redhat 8 and Solaris 8.
[snip]
>         Still to do: add newlines to prompt messages as appropriate.  Figure out
> Linux last-changed problem.

This version seems to fix those problems.  I suspect that Redhat needed
the call to pam_account_mgmt to the last-changed shadow entry ?

I'm still interested in feedback about other platforms.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
-------------- next part --------------
Index: auth-pam.c
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.c,v
retrieving revision 1.76
diff -u -p -r1.76 auth-pam.c

--- auth-pam.c	9 Oct 2003 04:20:15 -0000	1.76
+++ auth-pam.c	13 Oct 2003 00:05:25 -0000
@@ -52,6 +52,8 @@ RCSID("$Id: auth-pam.c,v 1.76 2003/10/09
 #include "auth-options.h"
 
 extern ServerOptions options;
+extern Buffer loginmsg;
+extern int compat20;
 
 #define __unused
 
@@ -117,6 +119,7 @@ static int sshpam_authenticated = 0;
 static int sshpam_new_authtok_reqd = 0;
 static int sshpam_session_open = 0;
 static int sshpam_cred_established = 0;
+static int sshpam_account_status = -1;
 
 struct pam_ctxt {
 	sp_pthread_t	 pam_thread;
@@ -231,6 +234,15 @@ sshpam_thread(void *ctxtp)
 	sshpam_err = pam_authenticate(sshpam_handle, 0);
 	if (sshpam_err != PAM_SUCCESS)
 		goto auth_fail;
+	if (compat20) {
+		if (do_pam_account() && sshpam_new_authtok_reqd) {
+			sshpam_err = pam_chauthtok(sshpam_handle,
+			    PAM_CHANGE_EXPIRED_AUTHTOK);
+			if (sshpam_err != PAM_SUCCESS)
+				goto auth_fail;
+			sshpam_new_authtok_reqd = 0; /* XXX: reset fwd flags */
+		}
+	}
 	buffer_put_cstring(&buffer, "OK");
 	ssh_msg_send(ctxt->pam_csock, sshpam_err, &buffer);
 	buffer_free(&buffer);
@@ -412,9 +424,9 @@ sshpam_query(void *ctx, char **name, cha
 		case PAM_ERROR_MSG:
 		case PAM_TEXT_INFO:
 			/* accumulate messages */
-			len = plen + strlen(msg) + 1;
+			len = plen + strlen(msg) + 2;
 			**prompts = xrealloc(**prompts, len);
-			plen += snprintf(**prompts + plen, len, "%s", msg);
+			plen += snprintf(**prompts + plen, len, "%s\n", msg);
 			xfree(msg);
 			break;
 		case PAM_SUCCESS:
@@ -532,11 +544,16 @@ finish_pam(void)
 u_int
 do_pam_account(void)
 {
+	if (sshpam_account_status != -1)
+		return (sshpam_account_status);
+
 	sshpam_err = pam_acct_mgmt(sshpam_handle, 0);
 	debug3("%s: pam_acct_mgmt = %d", __func__, sshpam_err);
 	
-	if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD)
-		return (0);
+	if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) {
+		sshpam_account_status = 0;
+		return (sshpam_account_status);
+	}
 
 	if (sshpam_err == PAM_NEW_AUTHTOK_REQD) {
 		sshpam_new_authtok_reqd = 1;
@@ -547,7 +564,8 @@ do_pam_account(void)
 		no_x11_forwarding_flag |= 2;
 	}
 
-	return (1);
+	sshpam_account_status = 1;
+	return (sshpam_account_status);
 }
 
 void
