Always send any PAM account messages.

If the PAM account stack reaturns any messages, send them to the user not just if the check succeeds. bz#2049, ok djm@
author: Darren Tucker <dtucker@dtucker.net> 2020-08-07 17:12:16 +1000
committer: Darren Tucker <dtucker@dtucker.net> 2020-08-07 17:14:56 +1000
commit: ed6bef77f5bb5b8f9ca2914478949e29f2f0a780 (patch)
tree: 045eaa656999dd458d14a88965b295766c3ea634 /auth2.c
parent: a09e98dcae1e26f026029b7142b0e0d10130056f (diff)
1 files changed, 13 insertions, 13 deletions
diff --git a/auth2.c b/auth2.c
index 91aaf34a6..242a7adbe 100644
--- a/auth2.c
+++ b/auth2.c
@@ -390,20 +390,20 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *method,
 #ifdef USE_PAM
        if (options.use_pam && authenticated) {
-                int r;
+                int r, success = PRIVSEP(do_pam_account());
-                if (!PRIVSEP(do_pam_account())) {
+                /* If PAM returned a message, send it to the user. */
-                        /* if PAM returned a message, send it to the user */
+                if (sshbuf_len(loginmsg) > 0) {
-                        if (sshbuf_len(loginmsg) > 0) {
+                        if ((r = sshbuf_put(loginmsg, "\0", 1)) != 0)
-                                if ((r = sshbuf_put(loginmsg, "\0", 1)) != 0)
+                                fatal("%s: buffer error: %s",
-                                        fatal("%s: buffer error: %s",
+                                    __func__, ssh_err(r));
-                                            __func__, ssh_err(r));
+                        userauth_send_banner(ssh, sshbuf_ptr(loginmsg));
-                                userauth_send_banner(ssh, sshbuf_ptr(loginmsg));
+                        if ((r = ssh_packet_write_wait(ssh)) != 0) {
-                                if ((r = ssh_packet_write_wait(ssh)) != 0) {
+                                sshpkt_fatal(ssh, r,
-                                        sshpkt_fatal(ssh, r,
+                                    "%s: send PAM banner", __func__);
-                                            "%s: send PAM banner", __func__);
-                                }
                        }
+                }
+                if (!success) {
                        fatal("Access denied for user %s by PAM account "
                            "configuration", authctxt->user);
                }
author	Darren Tucker <dtucker@dtucker.net>	2020-08-07 17:12:16 +1000
committer	Darren Tucker <dtucker@dtucker.net>	2020-08-07 17:14:56 +1000
commit	ed6bef77f5bb5b8f9ca2914478949e29f2f0a780 (patch)
tree	045eaa656999dd458d14a88965b295766c3ea634 /auth2.c
parent	a09e98dcae1e26f026029b7142b0e0d10130056f (diff)

diff --git a/auth2.c b/auth2.c index 91aaf34a6..242a7adbe 100644 --- a/auth2.c +++ b/auth2.c
@@ -390,20 +390,20 @@ userauth_finish(struct ssh ssh, int authenticated, const char method,
390		390
391	#ifdef USE_PAM	391	#ifdef USE_PAM
392	if (options.use_pam && authenticated) {	392	if (options.use_pam && authenticated) {
393	int r;	393	int r, success = PRIVSEP(do_pam_account());
394		394
395	if (!PRIVSEP(do_pam_account())) {	395	/* If PAM returned a message, send it to the user. */
396	/* if PAM returned a message, send it to the user */	396	if (sshbuf_len(loginmsg) > 0) {
397	if (sshbuf_len(loginmsg) > 0) {	397	if ((r = sshbuf_put(loginmsg, "\0", 1)) != 0)
398	if ((r = sshbuf_put(loginmsg, "\0", 1)) != 0)	398	fatal("%s: buffer error: %s",
399	fatal("%s: buffer error: %s",	399	__func__, ssh_err(r));
400	__func__, ssh_err(r));	400	userauth_send_banner(ssh, sshbuf_ptr(loginmsg));
401	userauth_send_banner(ssh, sshbuf_ptr(loginmsg));	401	if ((r = ssh_packet_write_wait(ssh)) != 0) {
402	if ((r = ssh_packet_write_wait(ssh)) != 0) {	402	sshpkt_fatal(ssh, r,
403	sshpkt_fatal(ssh, r,	403	"%s: send PAM banner", __func__);
404	"%s: send PAM banner", __func__);
405	}
406	}	404	}
		405	}
		406	if (!success) {
407	fatal("Access denied for user %s by PAM account "	407	fatal("Access denied for user %s by PAM account "
408	"configuration", authctxt->user);	408	"configuration", authctxt->user);
409	}	409	}