diff options
| author | dtucker <dtucker> | 2004-12-03 03:33:47 +0000 |
|---|---|---|
| committer | dtucker <dtucker> | 2004-12-03 03:33:47 +0000 |
| commit | e104929139bdc54c8753ea02174f8a814cc601b2 (patch) | |
| tree | 299f21a4980abc01419116d4f7026a9ad2307fc0 | |
| parent | 34a7f4667aa7602b3fdc45cd6de55d8a34240bf2 (diff) | |
| download | openssh-e104929139bdc54c8753ea02174f8a814cc601b2.tar.gz | |
- (dtucker) [auth1.c auth2.c] If the user successfully authenticates but is
subsequently denied by the PAM auth stack, send the PAM message to the
user via packet_disconnect (Protocol 1) or userauth_banner (Protocol 2).
ok djm@
| -rw-r--r-- | ChangeLog | 6 | ||||
| -rw-r--r-- | auth1.c | 21 | ||||
| -rw-r--r-- | auth2.c | 5 |
3 files changed, 27 insertions, 5 deletions
@@ -9,6 +9,10 @@ - add -O - sync -S w/ manpage - remove -h + - (dtucker) [auth1.c auth2.c] If the user successfully authenticates but is + subsequently denied by the PAM auth stack, send the PAM message to the + user via packet_disconnect (Protocol 1) or userauth_banner (Protocol 2). + ok djm@ 20041107 - (dtucker) OpenBSD CVS Sync @@ -1866,4 +1870,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3583 2004/12/03 03:10:19 dtucker Exp $ +$Id: ChangeLog,v 1.3584 2004/12/03 03:33:47 dtucker Exp $ @@ -25,9 +25,11 @@ RCSID("$OpenBSD: auth1.c,v 1.59 2004/07/28 09:40:29 markus Exp $"); #include "session.h" #include "uidswap.h" #include "monitor_wrap.h" +#include "buffer.h" /* import */ extern ServerOptions options; +extern Buffer loginmsg; /* * convert ssh auth msg type into description @@ -251,8 +253,23 @@ do_authloop(Authctxt *authctxt) #ifdef USE_PAM if (options.use_pam && authenticated && - !PRIVSEP(do_pam_account())) - authenticated = 0; + !PRIVSEP(do_pam_account())) { + char *msg; + size_t len; + + error("Access denied for user %s by PAM account " + "configuration", authctxt->user); + len = buffer_len(&loginmsg); + buffer_append(&loginmsg, "\0", 1); + msg = buffer_ptr(&loginmsg); + /* strip trailing newlines */ + if (len > 0) + while (len > 0 && msg[--len] == '\n') + msg[len] = '\0'; + else + msg = "Access denied."; + packet_disconnect(msg); + } #endif /* Log before sending the reply */ @@ -220,13 +220,14 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) #ifdef USE_PAM if (options.use_pam && authenticated) { if (!PRIVSEP(do_pam_account())) { - authenticated = 0; /* if PAM returned a message, send it to the user */ if (buffer_len(&loginmsg) > 0) { buffer_append(&loginmsg, "\0", 1); userauth_send_banner(buffer_ptr(&loginmsg)); - buffer_clear(&loginmsg); + packet_write_wait(); } + fatal("Access denied for user %s by PAM account " + "configuration", authctxt->user); } } #endif |