diff options
author | Darren Tucker <dtucker@zip.com.au> | 2016-07-18 09:33:25 +1000 |
---|---|---|
committer | Darren Tucker <dtucker@zip.com.au> | 2016-07-18 09:33:25 +1000 |
commit | 01558b7b07af43da774d3a11a5c51fa9c310849d (patch) | |
tree | 97052332089b01018034206d1dcd683c4177f787 /monitor_wrap.c | |
parent | 65c6c6b567ab5ab12945a5ad8e0ab3a8c26119cc (diff) |
Handle PAM_MAXTRIES from modules.
bz#2249: handle the case where PAM returns PAM_MAXTRIES by ceasing to offer
password and keyboard-interative authentication methods. Should prevent
"sshd ignoring max retries" warnings in the log. ok djm@
It probably won't trigger with keyboard-interactive in the default
configuration because the retry counter is stored in module-private
storage which goes away with the sshd PAM process (see bz#688). On the
other hand, those cases probably won't log a warning either.
Diffstat (limited to 'monitor_wrap.c')
-rw-r--r-- | monitor_wrap.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/monitor_wrap.c b/monitor_wrap.c index 55200490..99dc13b6 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -60,6 +60,7 @@ #include "packet.h" #include "mac.h" #include "log.h" +#include "auth-pam.h" #ifdef TARGET_OS_MAC /* XXX Broken krb5 headers on Mac */ #undef TARGET_OS_MAC #include "zlib.h" @@ -362,6 +363,9 @@ mm_auth_password(Authctxt *authctxt, char *password) mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUTHPASSWORD, &m); authenticated = buffer_get_int(&m); +#ifdef USE_PAM + sshpam_set_maxtries_reached(buffer_get_int(&m)); +#endif buffer_free(&m); @@ -644,6 +648,7 @@ mm_sshpam_query(void *ctx, char **name, char **info, debug3("%s: pam_query returned %d", __func__, ret); *name = buffer_get_string(&m, NULL); *info = buffer_get_string(&m, NULL); + sshpam_set_maxtries_reached(buffer_get_int(&m)); *num = buffer_get_int(&m); if (*num > PAM_MAX_NUM_MSG) fatal("%s: recieved %u PAM messages, expected <= %u", |