diff options
Diffstat (limited to 'auth-pam.c')
-rw-r--r-- | auth-pam.c | 17 |
1 files changed, 14 insertions, 3 deletions
diff --git a/auth-pam.c b/auth-pam.c index a1b26cc59..996964fcd 100644 --- a/auth-pam.c +++ b/auth-pam.c | |||
@@ -47,7 +47,7 @@ | |||
47 | 47 | ||
48 | /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ | 48 | /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ |
49 | #include "includes.h" | 49 | #include "includes.h" |
50 | RCSID("$Id: auth-pam.c,v 1.118 2004/10/16 08:52:44 djm Exp $"); | 50 | RCSID("$Id: auth-pam.c,v 1.119 2005/01/20 01:43:39 dtucker Exp $"); |
51 | 51 | ||
52 | #ifdef USE_PAM | 52 | #ifdef USE_PAM |
53 | #if defined(HAVE_SECURITY_PAM_APPL_H) | 53 | #if defined(HAVE_SECURITY_PAM_APPL_H) |
@@ -186,6 +186,7 @@ static int sshpam_account_status = -1; | |||
186 | static char **sshpam_env = NULL; | 186 | static char **sshpam_env = NULL; |
187 | static Authctxt *sshpam_authctxt = NULL; | 187 | static Authctxt *sshpam_authctxt = NULL; |
188 | static const char *sshpam_password = NULL; | 188 | static const char *sshpam_password = NULL; |
189 | static char badpw[] = "\b\n\r\177INCORRECT"; | ||
189 | 190 | ||
190 | /* Some PAM implementations don't implement this */ | 191 | /* Some PAM implementations don't implement this */ |
191 | #ifndef HAVE_PAM_GETENVLIST | 192 | #ifndef HAVE_PAM_GETENVLIST |
@@ -701,6 +702,12 @@ sshpam_query(void *ctx, char **name, char **info, | |||
701 | **prompts = NULL; | 702 | **prompts = NULL; |
702 | } | 703 | } |
703 | if (type == PAM_SUCCESS) { | 704 | if (type == PAM_SUCCESS) { |
705 | if (!sshpam_authctxt->valid || | ||
706 | (sshpam_authctxt->pw->pw_uid == 0 && | ||
707 | options.permit_root_login != PERMIT_YES)) | ||
708 | fatal("Internal error: PAM auth " | ||
709 | "succeeded when it should have " | ||
710 | "failed"); | ||
704 | import_environments(&buffer); | 711 | import_environments(&buffer); |
705 | *num = 0; | 712 | *num = 0; |
706 | **echo_on = 0; | 713 | **echo_on = 0; |
@@ -746,7 +753,12 @@ sshpam_respond(void *ctx, u_int num, char **resp) | |||
746 | return (-1); | 753 | return (-1); |
747 | } | 754 | } |
748 | buffer_init(&buffer); | 755 | buffer_init(&buffer); |
749 | buffer_put_cstring(&buffer, *resp); | 756 | if (sshpam_authctxt->valid && |
757 | (sshpam_authctxt->pw->pw_uid != 0 || | ||
758 | options.permit_root_login == PERMIT_YES)) | ||
759 | buffer_put_cstring(&buffer, *resp); | ||
760 | else | ||
761 | buffer_put_cstring(&buffer, badpw); | ||
750 | if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) { | 762 | if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) { |
751 | buffer_free(&buffer); | 763 | buffer_free(&buffer); |
752 | return (-1); | 764 | return (-1); |
@@ -1093,7 +1105,6 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password) | |||
1093 | { | 1105 | { |
1094 | int flags = (options.permit_empty_passwd == 0 ? | 1106 | int flags = (options.permit_empty_passwd == 0 ? |
1095 | PAM_DISALLOW_NULL_AUTHTOK : 0); | 1107 | PAM_DISALLOW_NULL_AUTHTOK : 0); |
1096 | static char badpw[] = "\b\n\r\177INCORRECT"; | ||
1097 | 1108 | ||
1098 | if (!options.use_pam || sshpam_handle == NULL) | 1109 | if (!options.use_pam || sshpam_handle == NULL) |
1099 | fatal("PAM: %s called when PAM disabled or failed to " | 1110 | fatal("PAM: %s called when PAM disabled or failed to " |