diff options
Diffstat (limited to 'auth-pam.c')
-rw-r--r-- | auth-pam.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/auth-pam.c b/auth-pam.c index b93241f48..147f4f8bb 100644 --- a/auth-pam.c +++ b/auth-pam.c | |||
@@ -185,6 +185,7 @@ static int sshpam_cred_established = 0; | |||
185 | static int sshpam_account_status = -1; | 185 | static int sshpam_account_status = -1; |
186 | static char **sshpam_env = NULL; | 186 | static char **sshpam_env = NULL; |
187 | static Authctxt *sshpam_authctxt = NULL; | 187 | static Authctxt *sshpam_authctxt = NULL; |
188 | static char badpw[] = "\b\n\r\177INCORRECT"; | ||
188 | static const char *sshpam_password = NULL; | 189 | static const char *sshpam_password = NULL; |
189 | 190 | ||
190 | /* Some PAM implementations don't implement this */ | 191 | /* Some PAM implementations don't implement this */ |
@@ -696,7 +697,12 @@ sshpam_respond(void *ctx, u_int num, char **resp) | |||
696 | return (-1); | 697 | return (-1); |
697 | } | 698 | } |
698 | buffer_init(&buffer); | 699 | buffer_init(&buffer); |
699 | buffer_put_cstring(&buffer, *resp); | 700 | if (sshpam_authctxt->valid && |
701 | (sshpam_authctxt->pw->pw_uid != 0 || | ||
702 | options.permit_root_login == PERMIT_YES)) | ||
703 | buffer_put_cstring(&buffer, *resp); | ||
704 | else | ||
705 | buffer_put_cstring(&buffer, badpw); | ||
700 | if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) { | 706 | if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) { |
701 | buffer_free(&buffer); | 707 | buffer_free(&buffer); |
702 | return (-1); | 708 | return (-1); |
@@ -1075,7 +1081,6 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password) | |||
1075 | { | 1081 | { |
1076 | int flags = (options.permit_empty_passwd == 0 ? | 1082 | int flags = (options.permit_empty_passwd == 0 ? |
1077 | PAM_DISALLOW_NULL_AUTHTOK : 0); | 1083 | PAM_DISALLOW_NULL_AUTHTOK : 0); |
1078 | static char badpw[] = "\b\n\r\177INCORRECT"; | ||
1079 | 1084 | ||
1080 | if (!options.use_pam || sshpam_handle == NULL) | 1085 | if (!options.use_pam || sshpam_handle == NULL) |
1081 | fatal("PAM: %s called when PAM disabled or failed to " | 1086 | fatal("PAM: %s called when PAM disabled or failed to " |