diff options
| author | dtucker <dtucker> | 2004-12-03 03:33:47 +0000 |
|---|---|---|
| committer | dtucker <dtucker> | 2004-12-03 03:33:47 +0000 |
| commit | e104929139bdc54c8753ea02174f8a814cc601b2 (patch) | |
| tree | 299f21a4980abc01419116d4f7026a9ad2307fc0 /auth1.c | |
| parent | 34a7f4667aa7602b3fdc45cd6de55d8a34240bf2 (diff) | |
| download | openssh-e104929139bdc54c8753ea02174f8a814cc601b2.tar.gz | |
- (dtucker) [auth1.c auth2.c] If the user successfully authenticates but is
subsequently denied by the PAM auth stack, send the PAM message to the
user via packet_disconnect (Protocol 1) or userauth_banner (Protocol 2).
ok djm@
Diffstat (limited to 'auth1.c')
| -rw-r--r-- | auth1.c | 21 |
1 files changed, 19 insertions, 2 deletions
@@ -25,9 +25,11 @@ RCSID("$OpenBSD: auth1.c,v 1.59 2004/07/28 09:40:29 markus Exp $"); #include "session.h" #include "uidswap.h" #include "monitor_wrap.h" +#include "buffer.h" /* import */ extern ServerOptions options; +extern Buffer loginmsg; /* * convert ssh auth msg type into description @@ -251,8 +253,23 @@ do_authloop(Authctxt *authctxt) #ifdef USE_PAM if (options.use_pam && authenticated && - !PRIVSEP(do_pam_account())) - authenticated = 0; + !PRIVSEP(do_pam_account())) { + char *msg; + size_t len; + + error("Access denied for user %s by PAM account " + "configuration", authctxt->user); + len = buffer_len(&loginmsg); + buffer_append(&loginmsg, "\0", 1); + msg = buffer_ptr(&loginmsg); + /* strip trailing newlines */ + if (len > 0) + while (len > 0 && msg[--len] == '\n') + msg[len] = '\0'; + else + msg = "Access denied."; + packet_disconnect(msg); + } #endif /* Log before sending the reply */ |