- (dtucker) [auth-pam.c auth-pam.h session.c] Bug #890: Send output from

failing PAM session modules to user then exit, similar to the way /etc/nologin is handled. ok djm@
author: Darren Tucker <dtucker@zip.com.au> 2004-09-11 22:17:26 +1000
committer: Darren Tucker <dtucker@zip.com.au> 2004-09-11 22:17:26 +1000
commit: 69687f4b65373e09269db8c18f18b4ac7225a382 (patch)
tree: bdc1ab58486951379f020d2e4a147c5a41997b01
parent: 928a19ad9e82d2098c9309553e7f6c97d7665322 (diff)
4 files changed, 28 insertions, 6 deletions
diff --git a/ChangeLog b/ChangeLog
index dffdd3713..2fed3fb38 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,8 @@
 20040911
 - (djm) [ssh-agent.c] unifdef some cygwin code; ok dtucker@
+ - (dtucker) [auth-pam.c auth-pam.h session.c] Bug #890: Send output from
+   failing PAM session modules to user then exit, similar to the way
+   /etc/nologin is handled.  ok djm@
 20040830
 - (dtucker) [session.c openbsd-compat/bsd-cygwin_util.{c,h}] Bug #915: only
@@ -1719,4 +1722,4 @@
   - (djm) Trim deprecated options from INSTALL. Mention UsePAM
   - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
-$Id: ChangeLog,v 1.3540 2004/09/11 05:18:05 djm Exp $
+$Id: ChangeLog,v 1.3541 2004/09/11 12:17:26 dtucker Exp $
diff --git a/auth-pam.c b/auth-pam.c
index b93241f48..27b9bab23 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -47,7 +47,7 @@
 /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
 #include "includes.h"
-RCSID("$Id: auth-pam.c,v 1.114 2004/08/16 13:12:06 dtucker Exp $");
+RCSID("$Id: auth-pam.c,v 1.115 2004/09/11 12:17:26 dtucker Exp $");
 #ifdef USE_PAM
 #if defined(HAVE_SECURITY_PAM_APPL_H)
@@ -949,10 +949,21 @@ do_pam_session(void)
                fatal("PAM: failed to set PAM_CONV: %s",
                    pam_strerror(sshpam_handle, sshpam_err));
        sshpam_err = pam_open_session(sshpam_handle, 0);
-        if (sshpam_err != PAM_SUCCESS)
+        if (sshpam_err == PAM_SUCCESS)
-                fatal("PAM: pam_open_session(): %s",
+                sshpam_session_open = 1;
+        else {
+                sshpam_session_open = 0;
+                disable_forwarding();
+                error("PAM: pam_open_session(): %s",
                    pam_strerror(sshpam_handle, sshpam_err));
-        sshpam_session_open = 1;
+        }
+}
+int
+is_pam_session_open(void)
+{
+        return sshpam_session_open;
 }
 /*
diff --git a/auth-pam.h b/auth-pam.h
index f479413d7..a1a2b52d8 100644
--- a/auth-pam.h
+++ b/auth-pam.h
@@ -1,4 +1,4 @@
-/* $Id: auth-pam.h,v 1.26 2004/05/30 10:43:59 dtucker Exp $ */
+/* $Id: auth-pam.h,v 1.27 2004/09/11 12:17:26 dtucker Exp $ */
 /*
 * Copyright (c) 2000 Damien Miller.  All rights reserved.
@@ -45,5 +45,6 @@ void free_pam_environment(char **);
 void sshpam_thread_cleanup(void);
 void sshpam_cleanup(void);
 int sshpam_auth_passwd(Authctxt *, const char *);
+int is_pam_session_open(void);
 #endif /* USE_PAM */
diff --git a/session.c b/session.c
index 89e1ec892..7a70b82e6 100644
--- a/session.c
+++ b/session.c
@@ -1439,6 +1439,13 @@ do_child(Session *s, const char *command)
 #endif /* HAVE_OSF_SIA */
        }
+#ifdef USE_PAM
+        if (options.use_pam && !is_pam_session_open()) {
+                display_loginmsg();
+                exit(254);
+        }
+#endif
        /*
         * Get the shell from the password data.  An empty shell field is
         * legal, and means /bin/sh.
author	Darren Tucker <dtucker@zip.com.au>	2004-09-11 22:17:26 +1000
committer	Darren Tucker <dtucker@zip.com.au>	2004-09-11 22:17:26 +1000
commit	69687f4b65373e09269db8c18f18b4ac7225a382 (patch)
tree	bdc1ab58486951379f020d2e4a147c5a41997b01
parent	928a19ad9e82d2098c9309553e7f6c97d7665322 (diff)