diff options
| author | Darren Tucker <dtucker@zip.com.au> | 2006-05-15 17:22:33 +1000 |
|---|---|---|
| committer | Darren Tucker <dtucker@zip.com.au> | 2006-05-15 17:22:33 +1000 |
| commit | 2c77b7f1c14795012db49b46d70fa423bdc09a80 (patch) | |
| tree | eb0cdf629cd6ea587f4095ed3a2dec66b3da42c2 /auth-pam.c | |
| parent | cefd8bb36d307a671fbbe5358d94c97910edf7c6 (diff) | |
- (dtucker) [auth-pam.c] Bug #1188: pass result of do_pam_account back and
do not allow kbdint again after the PAM account check fails. ok djm@
Diffstat (limited to 'auth-pam.c')
| -rw-r--r-- | auth-pam.c | 21 |
1 files changed, 16 insertions, 5 deletions
diff --git a/auth-pam.c b/auth-pam.c index 5ddc8bec3..16e7c21e3 100644 --- a/auth-pam.c +++ b/auth-pam.c | |||
| @@ -445,8 +445,10 @@ sshpam_thread(void *ctxtp) | |||
| 445 | goto auth_fail; | 445 | goto auth_fail; |
| 446 | 446 | ||
| 447 | if (compat20) { | 447 | if (compat20) { |
| 448 | if (!do_pam_account()) | 448 | if (!do_pam_account()) { |
| 449 | sshpam_err = PAM_ACCT_EXPIRED; | ||
| 449 | goto auth_fail; | 450 | goto auth_fail; |
| 451 | } | ||
| 450 | if (sshpam_authctxt->force_pwchange) { | 452 | if (sshpam_authctxt->force_pwchange) { |
| 451 | sshpam_err = pam_chauthtok(sshpam_handle, | 453 | sshpam_err = pam_chauthtok(sshpam_handle, |
| 452 | PAM_CHANGE_EXPIRED_AUTHTOK); | 454 | PAM_CHANGE_EXPIRED_AUTHTOK); |
| @@ -488,7 +490,10 @@ sshpam_thread(void *ctxtp) | |||
| 488 | buffer_put_cstring(&buffer, | 490 | buffer_put_cstring(&buffer, |
| 489 | pam_strerror(sshpam_handle, sshpam_err)); | 491 | pam_strerror(sshpam_handle, sshpam_err)); |
| 490 | /* XXX - can't do much about an error here */ | 492 | /* XXX - can't do much about an error here */ |
| 491 | ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer); | 493 | if (sshpam_err == PAM_ACCT_EXPIRED) |
| 494 | ssh_msg_send(ctxt->pam_csock, PAM_ACCT_EXPIRED, &buffer); | ||
| 495 | else | ||
| 496 | ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer); | ||
| 492 | buffer_free(&buffer); | 497 | buffer_free(&buffer); |
| 493 | pthread_exit(NULL); | 498 | pthread_exit(NULL); |
| 494 | 499 | ||
| @@ -643,8 +648,11 @@ sshpam_init_ctx(Authctxt *authctxt) | |||
| 643 | int socks[2]; | 648 | int socks[2]; |
| 644 | 649 | ||
| 645 | debug3("PAM: %s entering", __func__); | 650 | debug3("PAM: %s entering", __func__); |
| 646 | /* Refuse to start if we don't have PAM enabled */ | 651 | /* |
| 647 | if (!options.use_pam) | 652 | * Refuse to start if we don't have PAM enabled or do_pam_account |
| 653 | * has previously failed. | ||
| 654 | */ | ||
| 655 | if (!options.use_pam || sshpam_account_status == 0) | ||
| 648 | return NULL; | 656 | return NULL; |
| 649 | 657 | ||
| 650 | /* Initialize PAM */ | 658 | /* Initialize PAM */ |
| @@ -721,8 +729,11 @@ sshpam_query(void *ctx, char **name, char **info, | |||
| 721 | plen++; | 729 | plen++; |
| 722 | xfree(msg); | 730 | xfree(msg); |
| 723 | break; | 731 | break; |
| 732 | case PAM_ACCT_EXPIRED: | ||
| 733 | sshpam_account_status = 0; | ||
| 734 | /* FALLTHROUGH */ | ||
| 724 | case PAM_AUTH_ERR: | 735 | case PAM_AUTH_ERR: |
| 725 | debug3("PAM: PAM_AUTH_ERR"); | 736 | debug3("PAM: %s", pam_strerror(sshpam_handle, type)); |
| 726 | if (**prompts != NULL && strlen(**prompts) != 0) { | 737 | if (**prompts != NULL && strlen(**prompts) != 0) { |
| 727 | *info = **prompts; | 738 | *info = **prompts; |
| 728 | **prompts = NULL; | 739 | **prompts = NULL; |