diff options
author | Darren Tucker <dtucker@zip.com.au> | 2006-05-15 17:22:33 +1000 |
---|---|---|
committer | Darren Tucker <dtucker@zip.com.au> | 2006-05-15 17:22:33 +1000 |
commit | 2c77b7f1c14795012db49b46d70fa423bdc09a80 (patch) | |
tree | eb0cdf629cd6ea587f4095ed3a2dec66b3da42c2 /auth-pam.c | |
parent | cefd8bb36d307a671fbbe5358d94c97910edf7c6 (diff) |
- (dtucker) [auth-pam.c] Bug #1188: pass result of do_pam_account back and
do not allow kbdint again after the PAM account check fails. ok djm@
Diffstat (limited to 'auth-pam.c')
-rw-r--r-- | auth-pam.c | 21 |
1 files changed, 16 insertions, 5 deletions
diff --git a/auth-pam.c b/auth-pam.c index 5ddc8bec3..16e7c21e3 100644 --- a/auth-pam.c +++ b/auth-pam.c | |||
@@ -445,8 +445,10 @@ sshpam_thread(void *ctxtp) | |||
445 | goto auth_fail; | 445 | goto auth_fail; |
446 | 446 | ||
447 | if (compat20) { | 447 | if (compat20) { |
448 | if (!do_pam_account()) | 448 | if (!do_pam_account()) { |
449 | sshpam_err = PAM_ACCT_EXPIRED; | ||
449 | goto auth_fail; | 450 | goto auth_fail; |
451 | } | ||
450 | if (sshpam_authctxt->force_pwchange) { | 452 | if (sshpam_authctxt->force_pwchange) { |
451 | sshpam_err = pam_chauthtok(sshpam_handle, | 453 | sshpam_err = pam_chauthtok(sshpam_handle, |
452 | PAM_CHANGE_EXPIRED_AUTHTOK); | 454 | PAM_CHANGE_EXPIRED_AUTHTOK); |
@@ -488,7 +490,10 @@ sshpam_thread(void *ctxtp) | |||
488 | buffer_put_cstring(&buffer, | 490 | buffer_put_cstring(&buffer, |
489 | pam_strerror(sshpam_handle, sshpam_err)); | 491 | pam_strerror(sshpam_handle, sshpam_err)); |
490 | /* XXX - can't do much about an error here */ | 492 | /* XXX - can't do much about an error here */ |
491 | ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer); | 493 | if (sshpam_err == PAM_ACCT_EXPIRED) |
494 | ssh_msg_send(ctxt->pam_csock, PAM_ACCT_EXPIRED, &buffer); | ||
495 | else | ||
496 | ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer); | ||
492 | buffer_free(&buffer); | 497 | buffer_free(&buffer); |
493 | pthread_exit(NULL); | 498 | pthread_exit(NULL); |
494 | 499 | ||
@@ -643,8 +648,11 @@ sshpam_init_ctx(Authctxt *authctxt) | |||
643 | int socks[2]; | 648 | int socks[2]; |
644 | 649 | ||
645 | debug3("PAM: %s entering", __func__); | 650 | debug3("PAM: %s entering", __func__); |
646 | /* Refuse to start if we don't have PAM enabled */ | 651 | /* |
647 | if (!options.use_pam) | 652 | * Refuse to start if we don't have PAM enabled or do_pam_account |
653 | * has previously failed. | ||
654 | */ | ||
655 | if (!options.use_pam || sshpam_account_status == 0) | ||
648 | return NULL; | 656 | return NULL; |
649 | 657 | ||
650 | /* Initialize PAM */ | 658 | /* Initialize PAM */ |
@@ -721,8 +729,11 @@ sshpam_query(void *ctx, char **name, char **info, | |||
721 | plen++; | 729 | plen++; |
722 | xfree(msg); | 730 | xfree(msg); |
723 | break; | 731 | break; |
732 | case PAM_ACCT_EXPIRED: | ||
733 | sshpam_account_status = 0; | ||
734 | /* FALLTHROUGH */ | ||
724 | case PAM_AUTH_ERR: | 735 | case PAM_AUTH_ERR: |
725 | debug3("PAM: PAM_AUTH_ERR"); | 736 | debug3("PAM: %s", pam_strerror(sshpam_handle, type)); |
726 | if (**prompts != NULL && strlen(**prompts) != 0) { | 737 | if (**prompts != NULL && strlen(**prompts) != 0) { |
727 | *info = **prompts; | 738 | *info = **prompts; |
728 | **prompts = NULL; | 739 | **prompts = NULL; |