summaryrefslogtreecommitdiff
path: root/monitor.c
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2016-08-31 10:48:07 +1000
committerDamien Miller <djm@mindrot.org>2016-08-31 10:48:07 +1000
commit775f8a23f2353f5869003c57a213d14b28e0736e (patch)
tree54c8dd0975748889d701578dad18e2605e75fca0 /monitor.c
parent7fd0ea8a1db4bcfb3d8cd9df149e5d571ebea1f4 (diff)
tighten PAM monitor calls
only allow kbd-interactive ones when that authentication method is enabled. Prompted by Solar Designer
Diffstat (limited to 'monitor.c')
-rw-r--r--monitor.c10
1 files changed, 7 insertions, 3 deletions
diff --git a/monitor.c b/monitor.c
index 2dfe0c41e..fc006eb8f 100644
--- a/monitor.c
+++ b/monitor.c
@@ -996,7 +996,8 @@ mm_answer_pam_start(int sock, Buffer *m)
996 start_pam(authctxt); 996 start_pam(authctxt);
997 997
998 monitor_permit(mon_dispatch, MONITOR_REQ_PAM_ACCOUNT, 1); 998 monitor_permit(mon_dispatch, MONITOR_REQ_PAM_ACCOUNT, 1);
999 monitor_permit(mon_dispatch, MONITOR_REQ_PAM_INIT_CTX, 1); 999 if (options.kbd_interactive_authentication)
1000 monitor_permit(mon_dispatch, MONITOR_REQ_PAM_INIT_CTX, 1);
1000 1001
1001 return (0); 1002 return (0);
1002} 1003}
@@ -1007,7 +1008,7 @@ mm_answer_pam_account(int sock, Buffer *m)
1007 u_int ret; 1008 u_int ret;
1008 1009
1009 if (!options.use_pam) 1010 if (!options.use_pam)
1010 fatal("UsePAM not set, but ended up in %s anyway", __func__); 1011 fatal("%s: PAM not enabled", __func__);
1011 1012
1012 ret = do_pam_account(); 1013 ret = do_pam_account();
1013 1014
@@ -1026,6 +1027,8 @@ int
1026mm_answer_pam_init_ctx(int sock, Buffer *m) 1027mm_answer_pam_init_ctx(int sock, Buffer *m)
1027{ 1028{
1028 debug3("%s", __func__); 1029 debug3("%s", __func__);
1030 if (!options.kbd_interactive_authentication)
1031 fatal("%s: kbd-int authentication not enabled", __func__);
1029 if (sshpam_ctxt != NULL) 1032 if (sshpam_ctxt != NULL)
1030 fatal("%s: already called", __func__); 1033 fatal("%s: already called", __func__);
1031 sshpam_ctxt = (sshpam_device.init_ctx)(authctxt); 1034 sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
@@ -1053,7 +1056,8 @@ mm_answer_pam_query(int sock, Buffer *m)
1053 sshpam_authok = NULL; 1056 sshpam_authok = NULL;
1054 if (sshpam_ctxt == NULL) 1057 if (sshpam_ctxt == NULL)
1055 fatal("%s: no context", __func__); 1058 fatal("%s: no context", __func__);
1056 ret = (sshpam_device.query)(sshpam_ctxt, &name, &info, &num, &prompts, &echo_on); 1059 ret = (sshpam_device.query)(sshpam_ctxt, &name, &info,
1060 &num, &prompts, &echo_on);
1057 if (ret == 0 && num == 0) 1061 if (ret == 0 && num == 0)
1058 sshpam_authok = sshpam_ctxt; 1062 sshpam_authok = sshpam_ctxt;
1059 if (num > 1 || name == NULL || info == NULL) 1063 if (num > 1 || name == NULL || info == NULL)