- (dtucker) [auth-pam.c] Bug #1188: pass result of do_pam_account back and

do not allow kbdint again after the PAM account check fails. ok djm@
author: Darren Tucker <dtucker@zip.com.au> 2006-05-15 17:22:33 +1000
committer: Darren Tucker <dtucker@zip.com.au> 2006-05-15 17:22:33 +1000
commit: 2c77b7f1c14795012db49b46d70fa423bdc09a80 (patch)
tree: eb0cdf629cd6ea587f4095ed3a2dec66b3da42c2
parent: cefd8bb36d307a671fbbe5358d94c97910edf7c6 (diff)
2 files changed, 19 insertions, 6 deletions
diff --git a/ChangeLog b/ChangeLog
index a26f06323..0a7212f59 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,8 @@
   georg.schwarz at freenet.de, ok djm@.
 - (dtucker) [defines.h] Find a value for IOV_MAX or use a conservative
   default.  Patch originally from tim@, ok djm
+ - (dtucker) [auth-pam.c] Bug #1188: pass result of do_pam_account back and
+   do not allow kbdint again after the PAM account check fails.  ok djm@
 20050506
 - (dtucker) OpenBSD CVS Syn
@@ -4619,4 +4621,4 @@
   - (djm) Trim deprecated options from INSTALL. Mention UsePAM
   - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
-$Id: ChangeLog,v 1.4326 2006/05/15 07:17:29 dtucker Exp $
+$Id: ChangeLog,v 1.4327 2006/05/15 07:22:33 dtucker Exp $
diff --git a/auth-pam.c b/auth-pam.c
index 5ddc8bec3..16e7c21e3 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -445,8 +445,10 @@ sshpam_thread(void *ctxtp)
                goto auth_fail;
        if (compat20) {
-                if (!do_pam_account())
+                if (!do_pam_account()) {
+                        sshpam_err = PAM_ACCT_EXPIRED;
                        goto auth_fail;
+                }
                if (sshpam_authctxt->force_pwchange) {
                        sshpam_err = pam_chauthtok(sshpam_handle,
                            PAM_CHANGE_EXPIRED_AUTHTOK);
@@ -488,7 +490,10 @@ sshpam_thread(void *ctxtp)
        buffer_put_cstring(&buffer,
            pam_strerror(sshpam_handle, sshpam_err));
        /* XXX - can't do much about an error here */
-        ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer);
+        if (sshpam_err == PAM_ACCT_EXPIRED)
+                ssh_msg_send(ctxt->pam_csock, PAM_ACCT_EXPIRED, &buffer);
+        else
+                ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer);
        buffer_free(&buffer);
        pthread_exit(NULL);
@@ -643,8 +648,11 @@ sshpam_init_ctx(Authctxt *authctxt)
        int socks[2];
        debug3("PAM: %s entering", __func__);
-        /* Refuse to start if we don't have PAM enabled */
+        /*
-        if (!options.use_pam)
+         * Refuse to start if we don't have PAM enabled or do_pam_account
+         * has previously failed.
+         */
+        if (!options.use_pam || sshpam_account_status == 0)
                return NULL;
        /* Initialize PAM */
@@ -721,8 +729,11 @@ sshpam_query(void *ctx, char **name, char **info,
                        plen++;
                        xfree(msg);
                        break;
+                case PAM_ACCT_EXPIRED:
+                        sshpam_account_status = 0;
+                        /* FALLTHROUGH */
                case PAM_AUTH_ERR:
-                        debug3("PAM: PAM_AUTH_ERR");
+                        debug3("PAM: %s", pam_strerror(sshpam_handle, type));
                        if (**prompts != NULL && strlen(**prompts) != 0) {
                                *info = **prompts;
                                **prompts = NULL;
author	Darren Tucker <dtucker@zip.com.au>	2006-05-15 17:22:33 +1000
committer	Darren Tucker <dtucker@zip.com.au>	2006-05-15 17:22:33 +1000
commit	2c77b7f1c14795012db49b46d70fa423bdc09a80 (patch)
tree	eb0cdf629cd6ea587f4095ed3a2dec66b3da42c2
parent	cefd8bb36d307a671fbbe5358d94c97910edf7c6 (diff)