diff options
author | Damien Miller <djm@mindrot.org> | 2016-08-31 10:48:07 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2016-08-31 10:48:07 +1000 |
commit | 775f8a23f2353f5869003c57a213d14b28e0736e (patch) | |
tree | 54c8dd0975748889d701578dad18e2605e75fca0 | |
parent | 7fd0ea8a1db4bcfb3d8cd9df149e5d571ebea1f4 (diff) |
tighten PAM monitor calls
only allow kbd-interactive ones when that authentication method is
enabled. Prompted by Solar Designer
-rw-r--r-- | monitor.c | 10 |
1 files changed, 7 insertions, 3 deletions
@@ -996,7 +996,8 @@ mm_answer_pam_start(int sock, Buffer *m) start_pam(authctxt); monitor_permit(mon_dispatch, MONITOR_REQ_PAM_ACCOUNT, 1); - monitor_permit(mon_dispatch, MONITOR_REQ_PAM_INIT_CTX, 1); + if (options.kbd_interactive_authentication) + monitor_permit(mon_dispatch, MONITOR_REQ_PAM_INIT_CTX, 1); return (0); } @@ -1007,7 +1008,7 @@ mm_answer_pam_account(int sock, Buffer *m) u_int ret; if (!options.use_pam) - fatal("UsePAM not set, but ended up in %s anyway", __func__); + fatal("%s: PAM not enabled", __func__); ret = do_pam_account(); @@ -1026,6 +1027,8 @@ int mm_answer_pam_init_ctx(int sock, Buffer *m) { debug3("%s", __func__); + if (!options.kbd_interactive_authentication) + fatal("%s: kbd-int authentication not enabled", __func__); if (sshpam_ctxt != NULL) fatal("%s: already called", __func__); sshpam_ctxt = (sshpam_device.init_ctx)(authctxt); @@ -1053,7 +1056,8 @@ mm_answer_pam_query(int sock, Buffer *m) sshpam_authok = NULL; if (sshpam_ctxt == NULL) fatal("%s: no context", __func__); - ret = (sshpam_device.query)(sshpam_ctxt, &name, &info, &num, &prompts, &echo_on); + ret = (sshpam_device.query)(sshpam_ctxt, &name, &info, + &num, &prompts, &echo_on); if (ret == 0 && num == 0) sshpam_authok = sshpam_ctxt; if (num > 1 || name == NULL || info == NULL) |