diff options
author | Darren Tucker <dtucker@zip.com.au> | 2016-07-18 09:33:25 +1000 |
---|---|---|
committer | Darren Tucker <dtucker@zip.com.au> | 2016-07-18 09:33:25 +1000 |
commit | 01558b7b07af43da774d3a11a5c51fa9c310849d (patch) | |
tree | 97052332089b01018034206d1dcd683c4177f787 /monitor.c | |
parent | 65c6c6b567ab5ab12945a5ad8e0ab3a8c26119cc (diff) | |
download | openssh-git-01558b7b07af43da774d3a11a5c51fa9c310849d.tar.gz |
Handle PAM_MAXTRIES from modules.
bz#2249: handle the case where PAM returns PAM_MAXTRIES by ceasing to offer
password and keyboard-interative authentication methods. Should prevent
"sshd ignoring max retries" warnings in the log. ok djm@
It probably won't trigger with keyboard-interactive in the default
configuration because the retry counter is stored in module-private
storage which goes away with the sshd PAM process (see bz#688). On the
other hand, those cases probably won't log a warning either.
Diffstat (limited to 'monitor.c')
-rw-r--r-- | monitor.c | 5 |
1 files changed, 5 insertions, 0 deletions
@@ -75,6 +75,7 @@ #include "cipher.h" #include "kex.h" #include "dh.h" +#include "auth-pam.h" #ifdef TARGET_OS_MAC /* XXX Broken krb5 headers on Mac */ #undef TARGET_OS_MAC #include "zlib.h" @@ -920,6 +921,9 @@ mm_answer_authpassword(int sock, Buffer *m) buffer_clear(m); buffer_put_int(m, authenticated); +#ifdef USE_PAM + buffer_put_int(m, sshpam_get_maxtries_reached()); +#endif debug3("%s: sending result %d", __func__, authenticated); mm_request_send(sock, MONITOR_ANS_AUTHPASSWORD, m); @@ -1119,6 +1123,7 @@ mm_answer_pam_query(int sock, Buffer *m) free(name); buffer_put_cstring(m, info); free(info); + buffer_put_int(m, sshpam_get_maxtries_reached()); buffer_put_int(m, num); for (i = 0; i < num; ++i) { buffer_put_cstring(m, prompts[i]); |