322 if (authctxt->pw->pw_uid == 0 && !auth_root_allowed(method))
323 return PAM_PERM_DENIED;
324
325 if (!(authctxt->pam->state & PAM_S_DONE_SETCRED)) {
326 retval = pam_setcred(authctxt->pam->h,
327 PAM_ESTABLISH_CRED);
328 authctxt->pam->last_pam_retval = retval;
329 if (retval != PAM_SUCCESS)
330 return retval;
331 authctxt->pam->state |= PAM_S_DONE_SETCRED;
332
333 #ifdef GSSAPI
334 /*
335 * Store GSS-API delegated creds after pam_setcred(), which may
336 * have set the current credential store.
337 */
338 ssh_gssapi_storecreds(NULL, authctxt);
339 #endif /* GSSAPI */
340 }
341
342 /*
343 * On Solaris pam_unix_session.so updates the lastlog, but does
344 * not converse a PAM_TEXT_INFO message about it. So we need to
345 * fetch the lastlog entry here and save it for use later.
346 */
347 authctxt->last_login_time =
348 get_last_login_time(authctxt->pw->pw_uid,
349 authctxt->pw->pw_name,
350 authctxt->last_login_host,
351 sizeof(authctxt->last_login_host));
352
353 if (!(authctxt->pam->state & PAM_S_DONE_OPEN_SESSION)) {
354 retval = pam_open_session(authctxt->pam->h, 0);
355 authctxt->pam->last_pam_retval = retval;
356 if (retval != PAM_SUCCESS)
357 return retval;
358 authctxt->pam->state |= PAM_S_DONE_OPEN_SESSION;
359 }
360
361 /*
362 * All PAM work done successfully.
363 *
364 * PAM handle stays around so we can call pam_close_session() on
365 * it later.
366 */
367 return PAM_SUCCESS;
368 }
369
370 /*
371 * PAM conversation function for non-interactive userauth methods that
372 * really cannot do any prompting. Password userauth and CHANGEREQ can
506 options.permit_empty_passwd ? 0 :
507 PAM_DISALLOW_NULL_AUTHTOK);
508
509 if (retval != PAM_SUCCESS) {
510 authctxt->pam->last_pam_retval = retval;
511 return 0;
512 }
513
514 if ((retval = finish_userauth_do_pam(authctxt)) != PAM_SUCCESS)
515 return 0;
516
517 if (authctxt->method)
518 authctxt->method->authenticated = 1; /* SSHv2 */
519
520 return 1;
521 }
522
523 int
524 do_pam_non_initial_userauth(Authctxt *authctxt)
525 {
526 new_start_pam(authctxt, NULL);
527 return (finish_userauth_do_pam(authctxt) == PAM_SUCCESS);
528 }
529
530 /* Cleanly shutdown PAM */
531 void finish_pam(Authctxt *authctxt)
532 {
533 fatal_remove_cleanup(&do_pam_cleanup_proc, authctxt->pam);
534 do_pam_cleanup_proc(authctxt->pam);
535 }
536
537 static
538 char **
539 find_env(char **env, char *var)
540 {
541 char **p;
542 int len;
543
544 if (strchr(var, '=') == NULL)
545 len = strlen(var);
546 else
|
322 if (authctxt->pw->pw_uid == 0 && !auth_root_allowed(method))
323 return PAM_PERM_DENIED;
324
325 if (!(authctxt->pam->state & PAM_S_DONE_SETCRED)) {
326 retval = pam_setcred(authctxt->pam->h,
327 PAM_ESTABLISH_CRED);
328 authctxt->pam->last_pam_retval = retval;
329 if (retval != PAM_SUCCESS)
330 return retval;
331 authctxt->pam->state |= PAM_S_DONE_SETCRED;
332
333 #ifdef GSSAPI
334 /*
335 * Store GSS-API delegated creds after pam_setcred(), which may
336 * have set the current credential store.
337 */
338 ssh_gssapi_storecreds(NULL, authctxt);
339 #endif /* GSSAPI */
340 }
341
342 if (!(authctxt->pam->state & PAM_S_DONE_OPEN_SESSION)) {
343 retval = pam_open_session(authctxt->pam->h, 0);
344 authctxt->pam->last_pam_retval = retval;
345 if (retval != PAM_SUCCESS)
346 return retval;
347 authctxt->pam->state |= PAM_S_DONE_OPEN_SESSION;
348 }
349
350 /*
351 * All PAM work done successfully.
352 *
353 * PAM handle stays around so we can call pam_close_session() on
354 * it later.
355 */
356 return PAM_SUCCESS;
357 }
358
359 /*
360 * PAM conversation function for non-interactive userauth methods that
361 * really cannot do any prompting. Password userauth and CHANGEREQ can
495 options.permit_empty_passwd ? 0 :
496 PAM_DISALLOW_NULL_AUTHTOK);
497
498 if (retval != PAM_SUCCESS) {
499 authctxt->pam->last_pam_retval = retval;
500 return 0;
501 }
502
503 if ((retval = finish_userauth_do_pam(authctxt)) != PAM_SUCCESS)
504 return 0;
505
506 if (authctxt->method)
507 authctxt->method->authenticated = 1; /* SSHv2 */
508
509 return 1;
510 }
511
512 int
513 do_pam_non_initial_userauth(Authctxt *authctxt)
514 {
515 new_start_pam(authctxt, &conv);
516 return (finish_userauth_do_pam(authctxt) == PAM_SUCCESS);
517 }
518
519 /* Cleanly shutdown PAM */
520 void finish_pam(Authctxt *authctxt)
521 {
522 fatal_remove_cleanup(&do_pam_cleanup_proc, authctxt->pam);
523 do_pam_cleanup_proc(authctxt->pam);
524 }
525
526 static
527 char **
528 find_env(char **env, char *var)
529 {
530 char **p;
531 int len;
532
533 if (strchr(var, '=') == NULL)
534 len = strlen(var);
535 else
|