diff options
author | Darren Tucker <dtucker@zip.com.au> | 2004-12-03 14:33:47 +1100 |
---|---|---|
committer | Darren Tucker <dtucker@zip.com.au> | 2004-12-03 14:33:47 +1100 |
commit | c13866719fc39d5feebfb80ca251a7b31583d803 (patch) | |
tree | 4c74232e227c89bf87b83eafcf2165a9aeaf7374 | |
parent | 9c6bf325c0cf03fc40e87e51d165189dce07c594 (diff) |
- (dtucker) [auth1.c auth2.c] If the user successfully authenticates but is
subsequently denied by the PAM auth stack, send the PAM message to the
user via packet_disconnect (Protocol 1) or userauth_banner (Protocol 2).
ok djm@
-rw-r--r-- | ChangeLog | 6 | ||||
-rw-r--r-- | auth1.c | 21 | ||||
-rw-r--r-- | auth2.c | 5 |
3 files changed, 27 insertions, 5 deletions
@@ -9,6 +9,10 @@ - add -O - sync -S w/ manpage - remove -h + - (dtucker) [auth1.c auth2.c] If the user successfully authenticates but is + subsequently denied by the PAM auth stack, send the PAM message to the + user via packet_disconnect (Protocol 1) or userauth_banner (Protocol 2). + ok djm@ 20041107 - (dtucker) OpenBSD CVS Sync @@ -1866,4 +1870,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3583 2004/12/03 03:10:19 dtucker Exp $ +$Id: ChangeLog,v 1.3584 2004/12/03 03:33:47 dtucker Exp $ @@ -25,9 +25,11 @@ RCSID("$OpenBSD: auth1.c,v 1.59 2004/07/28 09:40:29 markus Exp $"); #include "session.h" #include "uidswap.h" #include "monitor_wrap.h" +#include "buffer.h" /* import */ extern ServerOptions options; +extern Buffer loginmsg; /* * convert ssh auth msg type into description @@ -251,8 +253,23 @@ do_authloop(Authctxt *authctxt) #ifdef USE_PAM if (options.use_pam && authenticated && - !PRIVSEP(do_pam_account())) - authenticated = 0; + !PRIVSEP(do_pam_account())) { + char *msg; + size_t len; + + error("Access denied for user %s by PAM account " + "configuration", authctxt->user); + len = buffer_len(&loginmsg); + buffer_append(&loginmsg, "\0", 1); + msg = buffer_ptr(&loginmsg); + /* strip trailing newlines */ + if (len > 0) + while (len > 0 && msg[--len] == '\n') + msg[len] = '\0'; + else + msg = "Access denied."; + packet_disconnect(msg); + } #endif /* Log before sending the reply */ @@ -220,13 +220,14 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) #ifdef USE_PAM if (options.use_pam && authenticated) { if (!PRIVSEP(do_pam_account())) { - authenticated = 0; /* if PAM returned a message, send it to the user */ if (buffer_len(&loginmsg) > 0) { buffer_append(&loginmsg, "\0", 1); userauth_send_banner(buffer_ptr(&loginmsg)); - buffer_clear(&loginmsg); + packet_write_wait(); } + fatal("Access denied for user %s by PAM account " + "configuration", authctxt->user); } } #endif |