- (dtucker) [auth-chall.c auth.h auth2-chall.c] Bug #936: Remove pam from

   the list of available kbdint devices if UsePAM=no.  ok djm@

4 files changed, 36 insertions, 1 deletions

diff --git a/ChangeLog b/ChangeLog
index ec830bbb7..8af4ea5f7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -41,6 +41,8 @@
  - (dtucker) [loginrec.h] Bug #952: Increase size of username field to 128
    bytes to prevent errors from login_init_entry() when the username is
    exactly 64 bytes(!) long.  From brhamon at cisco.com, ok djm@
+ - (dtucker) [auth-chall.c auth.h auth2-chall.c] Bug #936: Remove pam from
+   the list of available kbdint devices if UsePAM=no.  ok djm@
 
 20050118
  - (dtucker) [INSTALL Makefile.in configure.ac survey.sh.in] Implement
@@ -2013,4 +2015,4 @@
    - (djm) Trim deprecated options from INSTALL. Mention UsePAM
    - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
 
-$Id: ChangeLog,v 1.3619 2005/01/20 11:07:29 dtucker Exp $
+$Id: ChangeLog,v 1.3620 2005/01/20 11:20:50 dtucker Exp $
diff --git a/auth-chall.c b/auth-chall.c
index a9d314dd2..e4f783096 100644
--- a/auth-chall.c
+++ b/auth-chall.c
@@ -28,11 +28,13 @@ RCSID("$OpenBSD: auth-chall.c,v 1.9 2003/11/03 09:03:37 djm Exp $");
 #include "auth.h"
 #include "log.h"
 #include "xmalloc.h"
+#include "servconf.h"
 
 /* limited protocol v1 interface to kbd-interactive authentication */
 
 extern KbdintDevice *devices[];
 static KbdintDevice *device;
+extern ServerOptions options;
 
 char *
 get_challenge(Authctxt *authctxt)
@@ -41,6 +43,11 @@ get_challenge(Authctxt *authctxt)
         u_int i, numprompts;
         u_int *echo_on;
 
+#ifdef USE_PAM
+        if (!options.use_pam)
+                remove_kbdint_device("pam");
+#endif
+
         device = devices[0]; /* we always use the 1st device for protocol 1 */
         if (device == NULL)
                 return NULL;
diff --git a/auth.h b/auth.h
index 760337bea..6c0089dc7 100644
--- a/auth.h
+++ b/auth.h
@@ -130,6 +130,8 @@ int auth_shadow_pwexpired(Authctxt *);
 #endif
 
 #include "auth-pam.h"
+void remove_kbdint_device(const char *);
+
 void disable_forwarding(void);
 
 void    do_authentication(Authctxt *);
diff --git a/auth2-chall.c b/auth2-chall.c
index 29234439c..384a543ee 100644
--- a/auth2-chall.c
+++ b/auth2-chall.c
@@ -32,6 +32,10 @@ RCSID("$OpenBSD: auth2-chall.c,v 1.22 2005/01/19 13:11:47 dtucker Exp $");
 #include "xmalloc.h"
 #include "dispatch.h"
 #include "log.h"
+#include "servconf.h"
+
+/* import */
+extern ServerOptions options;
 
 static int auth2_challenge_start(Authctxt *);
 static int send_userauth_info_request(Authctxt *);
@@ -71,6 +75,21 @@ struct KbdintAuthctxt
         u_int nreq;
 };
 
+#ifdef USE_PAM
+void
+remove_kbdint_device(const char *devname)
+{
+        int i, j;
+
+        for (i = 0; devices[i] != NULL; i++)
+                if (strcmp(devices[i]->name, devname) == 0) {
+                        for (j = i; devices[j] != NULL; j++)
+                                devices[j] = devices[j+1];
+                        i--;
+                }
+}
+#endif
+
 static KbdintAuthctxt *
 kbdint_alloc(const char *devs)
 {
@@ -78,6 +97,11 @@ kbdint_alloc(const char *devs)
         Buffer b;
         int i;
 
+#ifdef USE_PAM
+        if (!options.use_pam)
+                remove_kbdint_device("pam");
+#endif
+
         kbdintctxt = xmalloc(sizeof(KbdintAuthctxt));
         if (strcmp(devs, "") == 0) {
                 buffer_init(&b);