diff options
author | Darren Tucker <dtucker@zip.com.au> | 2016-07-18 09:33:25 +1000 |
---|---|---|
committer | Darren Tucker <dtucker@zip.com.au> | 2016-07-18 09:33:25 +1000 |
commit | 01558b7b07af43da774d3a11a5c51fa9c310849d (patch) | |
tree | 97052332089b01018034206d1dcd683c4177f787 /monitor_wrap.c | |
parent | 65c6c6b567ab5ab12945a5ad8e0ab3a8c26119cc (diff) |
Handle PAM_MAXTRIES from modules.
bz#2249: handle the case where PAM returns PAM_MAXTRIES by ceasing to offer
password and keyboard-interative authentication methods. Should prevent
"sshd ignoring max retries" warnings in the log. ok djm@
It probably won't trigger with keyboard-interactive in the default
configuration because the retry counter is stored in module-private
storage which goes away with the sshd PAM process (see bz#688). On the
other hand, those cases probably won't log a warning either.
Diffstat (limited to 'monitor_wrap.c')
-rw-r--r-- | monitor_wrap.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/monitor_wrap.c b/monitor_wrap.c index 552004902..99dc13b61 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c | |||
@@ -60,6 +60,7 @@ | |||
60 | #include "packet.h" | 60 | #include "packet.h" |
61 | #include "mac.h" | 61 | #include "mac.h" |
62 | #include "log.h" | 62 | #include "log.h" |
63 | #include "auth-pam.h" | ||
63 | #ifdef TARGET_OS_MAC /* XXX Broken krb5 headers on Mac */ | 64 | #ifdef TARGET_OS_MAC /* XXX Broken krb5 headers on Mac */ |
64 | #undef TARGET_OS_MAC | 65 | #undef TARGET_OS_MAC |
65 | #include "zlib.h" | 66 | #include "zlib.h" |
@@ -362,6 +363,9 @@ mm_auth_password(Authctxt *authctxt, char *password) | |||
362 | mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUTHPASSWORD, &m); | 363 | mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUTHPASSWORD, &m); |
363 | 364 | ||
364 | authenticated = buffer_get_int(&m); | 365 | authenticated = buffer_get_int(&m); |
366 | #ifdef USE_PAM | ||
367 | sshpam_set_maxtries_reached(buffer_get_int(&m)); | ||
368 | #endif | ||
365 | 369 | ||
366 | buffer_free(&m); | 370 | buffer_free(&m); |
367 | 371 | ||
@@ -644,6 +648,7 @@ mm_sshpam_query(void *ctx, char **name, char **info, | |||
644 | debug3("%s: pam_query returned %d", __func__, ret); | 648 | debug3("%s: pam_query returned %d", __func__, ret); |
645 | *name = buffer_get_string(&m, NULL); | 649 | *name = buffer_get_string(&m, NULL); |
646 | *info = buffer_get_string(&m, NULL); | 650 | *info = buffer_get_string(&m, NULL); |
651 | sshpam_set_maxtries_reached(buffer_get_int(&m)); | ||
647 | *num = buffer_get_int(&m); | 652 | *num = buffer_get_int(&m); |
648 | if (*num > PAM_MAX_NUM_MSG) | 653 | if (*num > PAM_MAX_NUM_MSG) |
649 | fatal("%s: recieved %u PAM messages, expected <= %u", | 654 | fatal("%s: recieved %u PAM messages, expected <= %u", |