diff options
author | Darren Tucker <dtucker@zip.com.au> | 2005-01-20 13:29:51 +1100 |
---|---|---|
committer | Darren Tucker <dtucker@zip.com.au> | 2005-01-20 13:29:51 +1100 |
commit | d5bfa8f9d84b1abada09333994c8c889551a61fb (patch) | |
tree | a1a22dd1776919c44fb4e06e4fdd7792d283bec2 /auth-pam.c | |
parent | d231186fd0acb8fee480faf61c4e9e4cc6186faf (diff) |
Oops, did not intend to commit this yet
Diffstat (limited to 'auth-pam.c')
-rw-r--r-- | auth-pam.c | 26 |
1 files changed, 10 insertions, 16 deletions
diff --git a/auth-pam.c b/auth-pam.c index 5bffe338f..6ce8c429b 100644 --- a/auth-pam.c +++ b/auth-pam.c | |||
@@ -47,7 +47,7 @@ | |||
47 | 47 | ||
48 | /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ | 48 | /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ |
49 | #include "includes.h" | 49 | #include "includes.h" |
50 | RCSID("$Id: auth-pam.c,v 1.120 2005/01/20 02:27:56 dtucker Exp $"); | 50 | RCSID("$Id: auth-pam.c,v 1.121 2005/01/20 02:29:51 dtucker Exp $"); |
51 | 51 | ||
52 | #ifdef USE_PAM | 52 | #ifdef USE_PAM |
53 | #if defined(HAVE_SECURITY_PAM_APPL_H) | 53 | #if defined(HAVE_SECURITY_PAM_APPL_H) |
@@ -245,17 +245,6 @@ sshpam_password_change_required(int reqd) | |||
245 | } | 245 | } |
246 | } | 246 | } |
247 | 247 | ||
248 | /* Check ssh internal flags in addition to PAM */ | ||
249 | |||
250 | static int | ||
251 | sshpam_login_allowed(Authctxt *ctxt) | ||
252 | { | ||
253 | if (ctxt->valid && (ctxt->pw->pw_uid != 0 || | ||
254 | options.permit_root_login == PERMIT_YES)) | ||
255 | return 1; | ||
256 | return 0; | ||
257 | } | ||
258 | |||
259 | /* Import regular and PAM environment from subprocess */ | 248 | /* Import regular and PAM environment from subprocess */ |
260 | static void | 249 | static void |
261 | import_environments(Buffer *b) | 250 | import_environments(Buffer *b) |
@@ -713,7 +702,9 @@ sshpam_query(void *ctx, char **name, char **info, | |||
713 | **prompts = NULL; | 702 | **prompts = NULL; |
714 | } | 703 | } |
715 | if (type == PAM_SUCCESS) { | 704 | if (type == PAM_SUCCESS) { |
716 | if (!sshpam_login_allowed(sshpam_authctxt)) | 705 | if (!sshpam_authctxt->valid || |
706 | (sshpam_authctxt->pw->pw_uid == 0 && | ||
707 | options.permit_root_login != PERMIT_YES)) | ||
717 | fatal("Internal error: PAM auth " | 708 | fatal("Internal error: PAM auth " |
718 | "succeeded when it should have " | 709 | "succeeded when it should have " |
719 | "failed"); | 710 | "failed"); |
@@ -762,7 +753,9 @@ sshpam_respond(void *ctx, u_int num, char **resp) | |||
762 | return (-1); | 753 | return (-1); |
763 | } | 754 | } |
764 | buffer_init(&buffer); | 755 | buffer_init(&buffer); |
765 | if (sshpam_login_allowed(sshpam_authctxt)) | 756 | if (sshpam_authctxt->valid && |
757 | (sshpam_authctxt->pw->pw_uid != 0 || | ||
758 | options.permit_root_login == PERMIT_YES)) | ||
766 | buffer_put_cstring(&buffer, *resp); | 759 | buffer_put_cstring(&buffer, *resp); |
767 | else | 760 | else |
768 | buffer_put_cstring(&buffer, badpw); | 761 | buffer_put_cstring(&buffer, badpw); |
@@ -1125,7 +1118,8 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password) | |||
1125 | * by PermitRootLogin, use an invalid password to prevent leaking | 1118 | * by PermitRootLogin, use an invalid password to prevent leaking |
1126 | * information via timing (eg if the PAM config has a delay on fail). | 1119 | * information via timing (eg if the PAM config has a delay on fail). |
1127 | */ | 1120 | */ |
1128 | if (!sshpam_login_allowed(authctxt)) | 1121 | if (!authctxt->valid || (authctxt->pw->pw_uid == 0 && |
1122 | options.permit_root_login != PERMIT_YES)) | ||
1129 | sshpam_password = badpw; | 1123 | sshpam_password = badpw; |
1130 | 1124 | ||
1131 | sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, | 1125 | sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, |
@@ -1136,7 +1130,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password) | |||
1136 | 1130 | ||
1137 | sshpam_err = pam_authenticate(sshpam_handle, flags); | 1131 | sshpam_err = pam_authenticate(sshpam_handle, flags); |
1138 | sshpam_password = NULL; | 1132 | sshpam_password = NULL; |
1139 | if (sshpam_err == PAM_SUCCESS && sshpam_login_allowed(authctxt)) { | 1133 | if (sshpam_err == PAM_SUCCESS && authctxt->valid) { |
1140 | debug("PAM: password authentication accepted for %.100s", | 1134 | debug("PAM: password authentication accepted for %.100s", |
1141 | authctxt->user); | 1135 | authctxt->user); |
1142 | return 1; | 1136 | return 1; |