- (djm) Don't accept PAM_PROMPT_ECHO_ON messages during initial auth

1 files changed, 15 insertions, 8 deletions

diff --git a/auth-pam.c b/auth-pam.c
index 57a558d8..f4cbd46e 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -29,7 +29,7 @@
 #include "xmalloc.h"
 #include "servconf.h"
 
-RCSID("$Id: auth-pam.c,v 1.14 2000/10/07 11:16:55 stevesk Exp $");
+RCSID("$Id: auth-pam.c,v 1.15 2000/10/14 00:16:12 djm Exp $");
 
 #define NEW_AUTHTOK_MSG \
 	"Warning: Your password has expired, please change it now"
@@ -83,11 +83,16 @@ static int pamconv(int num_msg, const struct pam_message **msg,
 	for (count = 0; count < num_msg; count++) {
 		switch ((*msg)[count].msg_style) {
 			case PAM_PROMPT_ECHO_ON:
-				fputs((*msg)[count].msg, stderr);
-				fgets(buf, sizeof(buf), stdin);
-				reply[count].resp = xstrdup(buf);
-				reply[count].resp_retcode = PAM_SUCCESS;
-				break;
+				if (pamstate == INITIAL_LOGIN) {
+					free(reply);
+					return PAM_CONV_ERR;
+				} else {
+					fputs((*msg)[count].msg, stderr);
+					fgets(buf, sizeof(buf), stdin);
+					reply[count].resp = xstrdup(buf);
+					reply[count].resp_retcode = PAM_SUCCESS;
+					break;
+				}
 			case PAM_PROMPT_ECHO_OFF:
 				if (pamstate == INITIAL_LOGIN) {
 					if (pampasswd == NULL) {
@@ -95,8 +100,10 @@ static int pamconv(int num_msg, const struct pam_message **msg,
 						return PAM_CONV_ERR;
 					}
 					reply[count].resp = xstrdup(pampasswd);
-				} else
-					reply[count].resp = xstrdup(read_passphrase((*msg)[count].msg, 1));
+				} else {
+					reply[count].resp = 
+						xstrdup(read_passphrase((*msg)[count].msg, 1));
+				}
 				reply[count].resp_retcode = PAM_SUCCESS;
 				break;
 			case PAM_ERROR_MSG: