- (dtucker) [auth1.c auth2.c] If the user successfully authenticates but is

   subsequently denied by the PAM auth stack, send the PAM message to the
   user via packet_disconnect (Protocol 1) or userauth_banner (Protocol 2).
   ok djm@

1 files changed, 19 insertions, 2 deletions

diff --git a/auth1.c b/auth1.c
index 3f93b9869..2a9d18b9a 100644
--- a/auth1.c
+++ b/auth1.c
@@ -25,9 +25,11 @@ RCSID("$OpenBSD: auth1.c,v 1.59 2004/07/28 09:40:29 markus Exp $");
 #include "session.h"
 #include "uidswap.h"
 #include "monitor_wrap.h"
+#include "buffer.h"
 
 /* import */
 extern ServerOptions options;
+extern Buffer loginmsg;
 
 /*
  * convert ssh auth msg type into description
@@ -251,8 +253,23 @@ do_authloop(Authctxt *authctxt)
 
 #ifdef USE_PAM
                 if (options.use_pam && authenticated &&
-                    !PRIVSEP(do_pam_account()))
-                        authenticated = 0;
+                    !PRIVSEP(do_pam_account())) {
+                        char *msg;
+                        size_t len;
+
+                        error("Access denied for user %s by PAM account "
+                           "configuration", authctxt->user);
+                        len = buffer_len(&loginmsg);
+                        buffer_append(&loginmsg, "\0", 1);
+                        msg = buffer_ptr(&loginmsg);
+                        /* strip trailing newlines */
+                        if (len > 0)
+                                while (len > 0 && msg[--len] == '\n')
+                                        msg[len] = '\0';
+                        else
+                                msg = "Access denied.";
+                        packet_disconnect(msg);
+                }
 #endif
 
                 /* Log before sending the reply */