- (dtucker) [auth1.c auth2.c] If the user successfully authenticates but is

   subsequently denied by the PAM auth stack, send the PAM message to the
   user via packet_disconnect (Protocol 1) or userauth_banner (Protocol 2).
   ok djm@

3 files changed, 27 insertions, 5 deletions

diff --git a/ChangeLog b/ChangeLog
index 35a7d07ae..fd92678f3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -9,6 +9,10 @@
      - add -O
      - sync -S w/ manpage
      - remove -h
+ - (dtucker) [auth1.c auth2.c] If the user successfully authenticates but is
+   subsequently denied by the PAM auth stack, send the PAM message to the
+   user via packet_disconnect (Protocol 1) or userauth_banner (Protocol 2).
+   ok djm@
 
 20041107
  - (dtucker) OpenBSD CVS Sync
@@ -1866,4 +1870,4 @@
    - (djm) Trim deprecated options from INSTALL. Mention UsePAM
    - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
 
-$Id: ChangeLog,v 1.3583 2004/12/03 03:10:19 dtucker Exp $
+$Id: ChangeLog,v 1.3584 2004/12/03 03:33:47 dtucker Exp $
diff --git a/auth1.c b/auth1.c
index 3f93b9869..2a9d18b9a 100644
--- a/auth1.c
+++ b/auth1.c
@@ -25,9 +25,11 @@ RCSID("$OpenBSD: auth1.c,v 1.59 2004/07/28 09:40:29 markus Exp $");
 #include "session.h"
 #include "uidswap.h"
 #include "monitor_wrap.h"
+#include "buffer.h"
 
 /* import */
 extern ServerOptions options;
+extern Buffer loginmsg;
 
 /*
  * convert ssh auth msg type into description
@@ -251,8 +253,23 @@ do_authloop(Authctxt *authctxt)
 
 #ifdef USE_PAM
                 if (options.use_pam && authenticated &&
-                    !PRIVSEP(do_pam_account()))
-                        authenticated = 0;
+                    !PRIVSEP(do_pam_account())) {
+                        char *msg;
+                        size_t len;
+
+                        error("Access denied for user %s by PAM account "
+                           "configuration", authctxt->user);
+                        len = buffer_len(&loginmsg);
+                        buffer_append(&loginmsg, "\0", 1);
+                        msg = buffer_ptr(&loginmsg);
+                        /* strip trailing newlines */
+                        if (len > 0)
+                                while (len > 0 && msg[--len] == '\n')
+                                        msg[len] = '\0';
+                        else
+                                msg = "Access denied.";
+                        packet_disconnect(msg);
+                }
 #endif
 
                 /* Log before sending the reply */
diff --git a/auth2.c b/auth2.c
index 57e6db46b..60e261f7f 100644
--- a/auth2.c
+++ b/auth2.c
@@ -220,13 +220,14 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
 #ifdef USE_PAM
         if (options.use_pam && authenticated) {
                 if (!PRIVSEP(do_pam_account())) {
-                        authenticated = 0;
                         /* if PAM returned a message, send it to the user */
                         if (buffer_len(&loginmsg) > 0) {
                                 buffer_append(&loginmsg, "\0", 1);
                                 userauth_send_banner(buffer_ptr(&loginmsg));
-                                buffer_clear(&loginmsg);
+                                packet_write_wait();
                         }
+                        fatal("Access denied for user %s by PAM account "
+                           "configuration", authctxt->user);
                 }
         }
 #endif