diff options
author | Darren Tucker <dtucker@zip.com.au> | 2004-09-11 22:17:26 +1000 |
---|---|---|
committer | Darren Tucker <dtucker@zip.com.au> | 2004-09-11 22:17:26 +1000 |
commit | 69687f4b65373e09269db8c18f18b4ac7225a382 (patch) | |
tree | bdc1ab58486951379f020d2e4a147c5a41997b01 | |
parent | 928a19ad9e82d2098c9309553e7f6c97d7665322 (diff) |
- (dtucker) [auth-pam.c auth-pam.h session.c] Bug #890: Send output from
failing PAM session modules to user then exit, similar to the way
/etc/nologin is handled. ok djm@
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | auth-pam.c | 19 | ||||
-rw-r--r-- | auth-pam.h | 3 | ||||
-rw-r--r-- | session.c | 7 |
4 files changed, 28 insertions, 6 deletions
@@ -1,5 +1,8 @@ | |||
1 | 20040911 | 1 | 20040911 |
2 | - (djm) [ssh-agent.c] unifdef some cygwin code; ok dtucker@ | 2 | - (djm) [ssh-agent.c] unifdef some cygwin code; ok dtucker@ |
3 | - (dtucker) [auth-pam.c auth-pam.h session.c] Bug #890: Send output from | ||
4 | failing PAM session modules to user then exit, similar to the way | ||
5 | /etc/nologin is handled. ok djm@ | ||
3 | 6 | ||
4 | 20040830 | 7 | 20040830 |
5 | - (dtucker) [session.c openbsd-compat/bsd-cygwin_util.{c,h}] Bug #915: only | 8 | - (dtucker) [session.c openbsd-compat/bsd-cygwin_util.{c,h}] Bug #915: only |
@@ -1719,4 +1722,4 @@ | |||
1719 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM | 1722 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM |
1720 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu | 1723 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu |
1721 | 1724 | ||
1722 | $Id: ChangeLog,v 1.3540 2004/09/11 05:18:05 djm Exp $ | 1725 | $Id: ChangeLog,v 1.3541 2004/09/11 12:17:26 dtucker Exp $ |
diff --git a/auth-pam.c b/auth-pam.c index b93241f48..27b9bab23 100644 --- a/auth-pam.c +++ b/auth-pam.c | |||
@@ -47,7 +47,7 @@ | |||
47 | 47 | ||
48 | /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ | 48 | /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ |
49 | #include "includes.h" | 49 | #include "includes.h" |
50 | RCSID("$Id: auth-pam.c,v 1.114 2004/08/16 13:12:06 dtucker Exp $"); | 50 | RCSID("$Id: auth-pam.c,v 1.115 2004/09/11 12:17:26 dtucker Exp $"); |
51 | 51 | ||
52 | #ifdef USE_PAM | 52 | #ifdef USE_PAM |
53 | #if defined(HAVE_SECURITY_PAM_APPL_H) | 53 | #if defined(HAVE_SECURITY_PAM_APPL_H) |
@@ -949,10 +949,21 @@ do_pam_session(void) | |||
949 | fatal("PAM: failed to set PAM_CONV: %s", | 949 | fatal("PAM: failed to set PAM_CONV: %s", |
950 | pam_strerror(sshpam_handle, sshpam_err)); | 950 | pam_strerror(sshpam_handle, sshpam_err)); |
951 | sshpam_err = pam_open_session(sshpam_handle, 0); | 951 | sshpam_err = pam_open_session(sshpam_handle, 0); |
952 | if (sshpam_err != PAM_SUCCESS) | 952 | if (sshpam_err == PAM_SUCCESS) |
953 | fatal("PAM: pam_open_session(): %s", | 953 | sshpam_session_open = 1; |
954 | else { | ||
955 | sshpam_session_open = 0; | ||
956 | disable_forwarding(); | ||
957 | error("PAM: pam_open_session(): %s", | ||
954 | pam_strerror(sshpam_handle, sshpam_err)); | 958 | pam_strerror(sshpam_handle, sshpam_err)); |
955 | sshpam_session_open = 1; | 959 | } |
960 | |||
961 | } | ||
962 | |||
963 | int | ||
964 | is_pam_session_open(void) | ||
965 | { | ||
966 | return sshpam_session_open; | ||
956 | } | 967 | } |
957 | 968 | ||
958 | /* | 969 | /* |
diff --git a/auth-pam.h b/auth-pam.h index f479413d7..a1a2b52d8 100644 --- a/auth-pam.h +++ b/auth-pam.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $Id: auth-pam.h,v 1.26 2004/05/30 10:43:59 dtucker Exp $ */ | 1 | /* $Id: auth-pam.h,v 1.27 2004/09/11 12:17:26 dtucker Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2000 Damien Miller. All rights reserved. | 4 | * Copyright (c) 2000 Damien Miller. All rights reserved. |
@@ -45,5 +45,6 @@ void free_pam_environment(char **); | |||
45 | void sshpam_thread_cleanup(void); | 45 | void sshpam_thread_cleanup(void); |
46 | void sshpam_cleanup(void); | 46 | void sshpam_cleanup(void); |
47 | int sshpam_auth_passwd(Authctxt *, const char *); | 47 | int sshpam_auth_passwd(Authctxt *, const char *); |
48 | int is_pam_session_open(void); | ||
48 | 49 | ||
49 | #endif /* USE_PAM */ | 50 | #endif /* USE_PAM */ |
@@ -1439,6 +1439,13 @@ do_child(Session *s, const char *command) | |||
1439 | #endif /* HAVE_OSF_SIA */ | 1439 | #endif /* HAVE_OSF_SIA */ |
1440 | } | 1440 | } |
1441 | 1441 | ||
1442 | #ifdef USE_PAM | ||
1443 | if (options.use_pam && !is_pam_session_open()) { | ||
1444 | display_loginmsg(); | ||
1445 | exit(254); | ||
1446 | } | ||
1447 | #endif | ||
1448 | |||
1442 | /* | 1449 | /* |
1443 | * Get the shell from the password data. An empty shell field is | 1450 | * Get the shell from the password data. An empty shell field is |
1444 | * legal, and means /bin/sh. | 1451 | * legal, and means /bin/sh. |