summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog4
-rw-r--r--auth-pam.c21
2 files changed, 19 insertions, 6 deletions
diff --git a/ChangeLog b/ChangeLog
index a26f06323..0a7212f59 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,8 @@
5 georg.schwarz at freenet.de, ok djm@. 5 georg.schwarz at freenet.de, ok djm@.
6 - (dtucker) [defines.h] Find a value for IOV_MAX or use a conservative 6 - (dtucker) [defines.h] Find a value for IOV_MAX or use a conservative
7 default. Patch originally from tim@, ok djm 7 default. Patch originally from tim@, ok djm
8 - (dtucker) [auth-pam.c] Bug #1188: pass result of do_pam_account back and
9 do not allow kbdint again after the PAM account check fails. ok djm@
8 10
920050506 1120050506
10 - (dtucker) OpenBSD CVS Syn 12 - (dtucker) OpenBSD CVS Syn
@@ -4619,4 +4621,4 @@
4619 - (djm) Trim deprecated options from INSTALL. Mention UsePAM 4621 - (djm) Trim deprecated options from INSTALL. Mention UsePAM
4620 - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu 4622 - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
4621 4623
4622$Id: ChangeLog,v 1.4326 2006/05/15 07:17:29 dtucker Exp $ 4624$Id: ChangeLog,v 1.4327 2006/05/15 07:22:33 dtucker Exp $
diff --git a/auth-pam.c b/auth-pam.c
index 5ddc8bec3..16e7c21e3 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -445,8 +445,10 @@ sshpam_thread(void *ctxtp)
445 goto auth_fail; 445 goto auth_fail;
446 446
447 if (compat20) { 447 if (compat20) {
448 if (!do_pam_account()) 448 if (!do_pam_account()) {
449 sshpam_err = PAM_ACCT_EXPIRED;
449 goto auth_fail; 450 goto auth_fail;
451 }
450 if (sshpam_authctxt->force_pwchange) { 452 if (sshpam_authctxt->force_pwchange) {
451 sshpam_err = pam_chauthtok(sshpam_handle, 453 sshpam_err = pam_chauthtok(sshpam_handle,
452 PAM_CHANGE_EXPIRED_AUTHTOK); 454 PAM_CHANGE_EXPIRED_AUTHTOK);
@@ -488,7 +490,10 @@ sshpam_thread(void *ctxtp)
488 buffer_put_cstring(&buffer, 490 buffer_put_cstring(&buffer,
489 pam_strerror(sshpam_handle, sshpam_err)); 491 pam_strerror(sshpam_handle, sshpam_err));
490 /* XXX - can't do much about an error here */ 492 /* XXX - can't do much about an error here */
491 ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer); 493 if (sshpam_err == PAM_ACCT_EXPIRED)
494 ssh_msg_send(ctxt->pam_csock, PAM_ACCT_EXPIRED, &buffer);
495 else
496 ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer);
492 buffer_free(&buffer); 497 buffer_free(&buffer);
493 pthread_exit(NULL); 498 pthread_exit(NULL);
494 499
@@ -643,8 +648,11 @@ sshpam_init_ctx(Authctxt *authctxt)
643 int socks[2]; 648 int socks[2];
644 649
645 debug3("PAM: %s entering", __func__); 650 debug3("PAM: %s entering", __func__);
646 /* Refuse to start if we don't have PAM enabled */ 651 /*
647 if (!options.use_pam) 652 * Refuse to start if we don't have PAM enabled or do_pam_account
653 * has previously failed.
654 */
655 if (!options.use_pam || sshpam_account_status == 0)
648 return NULL; 656 return NULL;
649 657
650 /* Initialize PAM */ 658 /* Initialize PAM */
@@ -721,8 +729,11 @@ sshpam_query(void *ctx, char **name, char **info,
721 plen++; 729 plen++;
722 xfree(msg); 730 xfree(msg);
723 break; 731 break;
732 case PAM_ACCT_EXPIRED:
733 sshpam_account_status = 0;
734 /* FALLTHROUGH */
724 case PAM_AUTH_ERR: 735 case PAM_AUTH_ERR:
725 debug3("PAM: PAM_AUTH_ERR"); 736 debug3("PAM: %s", pam_strerror(sshpam_handle, type));
726 if (**prompts != NULL && strlen(**prompts) != 0) { 737 if (**prompts != NULL && strlen(**prompts) != 0) {
727 *info = **prompts; 738 *info = **prompts;
728 **prompts = NULL; 739 **prompts = NULL;