- dtucker@cvs.openbsd.org 2005/01/19 13:11:47

     [auth-bsdauth.c auth2-chall.c]
     Have keyboard-interactive code call the drivers even for responses for
     invalid logins.  This allows the drivers themselves to decide how to
     handle them and prevent leaking information where possible.  Existing
     behaviour for bsdauth is maintained by checking authctxt->valid in the
     bsdauth driver.  Note that any third-party kbdint drivers will now need
     to be able to handle responses for invalid logins.  ok markus@

1 files changed, 4 insertions, 1 deletions

diff --git a/auth-bsdauth.c b/auth-bsdauth.c
index 2ac27a7a2..920c977d8 100644
--- a/auth-bsdauth.c
+++ b/auth-bsdauth.c
@@ -22,7 +22,7 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 #include "includes.h"
-RCSID("$OpenBSD: auth-bsdauth.c,v 1.5 2002/06/30 21:59:45 deraadt Exp $");
+RCSID("$OpenBSD: auth-bsdauth.c,v 1.6 2005/01/19 13:11:47 dtucker Exp $");
 
 #ifdef BSD_AUTH
 #include "xmalloc.h"
@@ -83,6 +83,9 @@ bsdauth_respond(void *ctx, u_int numresponses, char **responses)
         Authctxt *authctxt = ctx;
         int authok;
 
+        if (!authctxt->valid)
+                return -1;
+
         if (authctxt->as == 0)
                 error("bsdauth_respond: no bsd auth session");