3 files changed, 16 insertions, 10 deletions

diff --git a/ChangeLog b/ChangeLog
index 33a2aaf4b..cef110384 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -22,6 +22,14 @@
    - dtucker@cvs.openbsd.org 2005/01/17 22:48:39
      [sshd.c]
      Make debugging output continue after reexec; ok djm@
+   - dtucker@cvs.openbsd.org 2005/01/19 13:11:47
+     [auth-bsdauth.c auth2-chall.c]
+     Have keyboard-interactive code call the drivers even for responses for
+     invalid logins.  This allows the drivers themselves to decide how to
+     handle them and prevent leaking information where possible.  Existing
+     behaviour for bsdauth is maintained by checking authctxt->valid in the
+     bsdauth driver.  Note that any third-party kbdint drivers will now need
+     to be able to handle responses for invalid logins.  ok markus@
 
 20050118
  - (dtucker) [INSTALL Makefile.in configure.ac survey.sh.in] Implement
@@ -1994,4 +2002,4 @@
    - (djm) Trim deprecated options from INSTALL. Mention UsePAM
    - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
 
-$Id: ChangeLog,v 1.3615 2005/01/20 00:03:08 dtucker Exp $
+$Id: ChangeLog,v 1.3616 2005/01/20 00:05:34 dtucker Exp $
diff --git a/auth-bsdauth.c b/auth-bsdauth.c
index 2ac27a7a2..920c977d8 100644
--- a/auth-bsdauth.c
+++ b/auth-bsdauth.c
@@ -22,7 +22,7 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 #include "includes.h"
-RCSID("$OpenBSD: auth-bsdauth.c,v 1.5 2002/06/30 21:59:45 deraadt Exp $");
+RCSID("$OpenBSD: auth-bsdauth.c,v 1.6 2005/01/19 13:11:47 dtucker Exp $");
 
 #ifdef BSD_AUTH
 #include "xmalloc.h"
@@ -83,6 +83,9 @@ bsdauth_respond(void *ctx, u_int numresponses, char **responses)
         Authctxt *authctxt = ctx;
         int authok;
 
+        if (!authctxt->valid)
+                return -1;
+
         if (authctxt->as == 0)
                 error("bsdauth_respond: no bsd auth session");
 
diff --git a/auth2-chall.c b/auth2-chall.c
index 486baaaa3..29234439c 100644
--- a/auth2-chall.c
+++ b/auth2-chall.c
@@ -23,7 +23,7 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 #include "includes.h"
-RCSID("$OpenBSD: auth2-chall.c,v 1.21 2004/06/01 14:20:45 dtucker Exp $");
+RCSID("$OpenBSD: auth2-chall.c,v 1.22 2005/01/19 13:11:47 dtucker Exp $");
 
 #include "ssh2.h"
 #include "auth.h"
@@ -274,12 +274,7 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
         }
         packet_check_eom();
 
-        if (authctxt->valid) {
-                res = kbdintctxt->device->respond(kbdintctxt->ctxt,
-                    nresp, response);
-        } else {
-                res = -1;
-        }
+        res = kbdintctxt->device->respond(kbdintctxt->ctxt, nresp, response);
 
         for (i = 0; i < nresp; i++) {
                 memset(response[i], 'r', strlen(response[i]));
@@ -291,7 +286,7 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
         switch (res) {
         case 0:
                 /* Success! */
-                authenticated = 1;
+                authenticated = authctxt->valid ? 1 : 0;
                 break;
         case 1:
                 /* Authentication needs further interaction */