diff options
-rw-r--r-- | ChangeLog | 6 | ||||
-rw-r--r-- | auth1.c | 21 | ||||
-rw-r--r-- | auth2.c | 5 |
3 files changed, 27 insertions, 5 deletions
@@ -9,6 +9,10 @@ | |||
9 | - add -O | 9 | - add -O |
10 | - sync -S w/ manpage | 10 | - sync -S w/ manpage |
11 | - remove -h | 11 | - remove -h |
12 | - (dtucker) [auth1.c auth2.c] If the user successfully authenticates but is | ||
13 | subsequently denied by the PAM auth stack, send the PAM message to the | ||
14 | user via packet_disconnect (Protocol 1) or userauth_banner (Protocol 2). | ||
15 | ok djm@ | ||
12 | 16 | ||
13 | 20041107 | 17 | 20041107 |
14 | - (dtucker) OpenBSD CVS Sync | 18 | - (dtucker) OpenBSD CVS Sync |
@@ -1866,4 +1870,4 @@ | |||
1866 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM | 1870 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM |
1867 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu | 1871 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu |
1868 | 1872 | ||
1869 | $Id: ChangeLog,v 1.3583 2004/12/03 03:10:19 dtucker Exp $ | 1873 | $Id: ChangeLog,v 1.3584 2004/12/03 03:33:47 dtucker Exp $ |
@@ -25,9 +25,11 @@ RCSID("$OpenBSD: auth1.c,v 1.59 2004/07/28 09:40:29 markus Exp $"); | |||
25 | #include "session.h" | 25 | #include "session.h" |
26 | #include "uidswap.h" | 26 | #include "uidswap.h" |
27 | #include "monitor_wrap.h" | 27 | #include "monitor_wrap.h" |
28 | #include "buffer.h" | ||
28 | 29 | ||
29 | /* import */ | 30 | /* import */ |
30 | extern ServerOptions options; | 31 | extern ServerOptions options; |
32 | extern Buffer loginmsg; | ||
31 | 33 | ||
32 | /* | 34 | /* |
33 | * convert ssh auth msg type into description | 35 | * convert ssh auth msg type into description |
@@ -251,8 +253,23 @@ do_authloop(Authctxt *authctxt) | |||
251 | 253 | ||
252 | #ifdef USE_PAM | 254 | #ifdef USE_PAM |
253 | if (options.use_pam && authenticated && | 255 | if (options.use_pam && authenticated && |
254 | !PRIVSEP(do_pam_account())) | 256 | !PRIVSEP(do_pam_account())) { |
255 | authenticated = 0; | 257 | char *msg; |
258 | size_t len; | ||
259 | |||
260 | error("Access denied for user %s by PAM account " | ||
261 | "configuration", authctxt->user); | ||
262 | len = buffer_len(&loginmsg); | ||
263 | buffer_append(&loginmsg, "\0", 1); | ||
264 | msg = buffer_ptr(&loginmsg); | ||
265 | /* strip trailing newlines */ | ||
266 | if (len > 0) | ||
267 | while (len > 0 && msg[--len] == '\n') | ||
268 | msg[len] = '\0'; | ||
269 | else | ||
270 | msg = "Access denied."; | ||
271 | packet_disconnect(msg); | ||
272 | } | ||
256 | #endif | 273 | #endif |
257 | 274 | ||
258 | /* Log before sending the reply */ | 275 | /* Log before sending the reply */ |
@@ -220,13 +220,14 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) | |||
220 | #ifdef USE_PAM | 220 | #ifdef USE_PAM |
221 | if (options.use_pam && authenticated) { | 221 | if (options.use_pam && authenticated) { |
222 | if (!PRIVSEP(do_pam_account())) { | 222 | if (!PRIVSEP(do_pam_account())) { |
223 | authenticated = 0; | ||
224 | /* if PAM returned a message, send it to the user */ | 223 | /* if PAM returned a message, send it to the user */ |
225 | if (buffer_len(&loginmsg) > 0) { | 224 | if (buffer_len(&loginmsg) > 0) { |
226 | buffer_append(&loginmsg, "\0", 1); | 225 | buffer_append(&loginmsg, "\0", 1); |
227 | userauth_send_banner(buffer_ptr(&loginmsg)); | 226 | userauth_send_banner(buffer_ptr(&loginmsg)); |
228 | buffer_clear(&loginmsg); | 227 | packet_write_wait(); |
229 | } | 228 | } |
229 | fatal("Access denied for user %s by PAM account " | ||
230 | "configuration", authctxt->user); | ||
230 | } | 231 | } |
231 | } | 232 | } |
232 | #endif | 233 | #endif |