tighten PAM monitor calls

only allow kbd-interactive ones when that authentication method is
enabled. Prompted by Solar Designer

1 files changed, 7 insertions, 3 deletions

diff --git a/monitor.c b/monitor.c
index 2dfe0c41..fc006eb8 100644
--- a/monitor.c
+++ b/monitor.c
@@ -996,7 +996,8 @@ mm_answer_pam_start(int sock, Buffer *m)
 	start_pam(authctxt);
 
 	monitor_permit(mon_dispatch, MONITOR_REQ_PAM_ACCOUNT, 1);
-	monitor_permit(mon_dispatch, MONITOR_REQ_PAM_INIT_CTX, 1);
+	if (options.kbd_interactive_authentication)
+		monitor_permit(mon_dispatch, MONITOR_REQ_PAM_INIT_CTX, 1);
 
 	return (0);
 }
@@ -1007,7 +1008,7 @@ mm_answer_pam_account(int sock, Buffer *m)
 	u_int ret;
 
 	if (!options.use_pam)
-		fatal("UsePAM not set, but ended up in %s anyway", __func__);
+		fatal("%s: PAM not enabled", __func__);
 
 	ret = do_pam_account();
 
@@ -1026,6 +1027,8 @@ int
 mm_answer_pam_init_ctx(int sock, Buffer *m)
 {
 	debug3("%s", __func__);
+	if (!options.kbd_interactive_authentication)
+		fatal("%s: kbd-int authentication not enabled", __func__);
 	if (sshpam_ctxt != NULL)
 		fatal("%s: already called", __func__);
 	sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
@@ -1053,7 +1056,8 @@ mm_answer_pam_query(int sock, Buffer *m)
 	sshpam_authok = NULL;
 	if (sshpam_ctxt == NULL)
 		fatal("%s: no context", __func__);
-	ret = (sshpam_device.query)(sshpam_ctxt, &name, &info, &num, &prompts, &echo_on);
+	ret = (sshpam_device.query)(sshpam_ctxt, &name, &info,
+	    &num, &prompts, &echo_on);
 	if (ret == 0 && num == 0)
 		sshpam_authok = sshpam_ctxt;
 	if (num > 1 || name == NULL || info == NULL)