diff options
Diffstat (limited to 'auth1.c')
| -rw-r--r-- | auth1.c | 33 |
1 files changed, 29 insertions, 4 deletions
| @@ -25,9 +25,11 @@ RCSID("$OpenBSD: auth1.c,v 1.59 2004/07/28 09:40:29 markus Exp $"); | |||
| 25 | #include "session.h" | 25 | #include "session.h" |
| 26 | #include "uidswap.h" | 26 | #include "uidswap.h" |
| 27 | #include "monitor_wrap.h" | 27 | #include "monitor_wrap.h" |
| 28 | #include "buffer.h" | ||
| 28 | 29 | ||
| 29 | /* import */ | 30 | /* import */ |
| 30 | extern ServerOptions options; | 31 | extern ServerOptions options; |
| 32 | extern Buffer loginmsg; | ||
| 31 | 33 | ||
| 32 | /* | 34 | /* |
| 33 | * convert ssh auth msg type into description | 35 | * convert ssh auth msg type into description |
| @@ -245,14 +247,33 @@ do_authloop(Authctxt *authctxt) | |||
| 245 | #else | 247 | #else |
| 246 | /* Special handling for root */ | 248 | /* Special handling for root */ |
| 247 | if (authenticated && authctxt->pw->pw_uid == 0 && | 249 | if (authenticated && authctxt->pw->pw_uid == 0 && |
| 248 | !auth_root_allowed(get_authname(type))) | 250 | !auth_root_allowed(get_authname(type))) { |
| 249 | authenticated = 0; | 251 | authenticated = 0; |
| 252 | # ifdef SSH_AUDIT_EVENTS | ||
| 253 | PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED)); | ||
| 254 | # endif | ||
| 255 | } | ||
| 250 | #endif | 256 | #endif |
| 251 | 257 | ||
| 252 | #ifdef USE_PAM | 258 | #ifdef USE_PAM |
| 253 | if (options.use_pam && authenticated && | 259 | if (options.use_pam && authenticated && |
| 254 | !PRIVSEP(do_pam_account())) | 260 | !PRIVSEP(do_pam_account())) { |
| 255 | authenticated = 0; | 261 | char *msg; |
| 262 | size_t len; | ||
| 263 | |||
| 264 | error("Access denied for user %s by PAM account " | ||
| 265 | "configuration", authctxt->user); | ||
| 266 | len = buffer_len(&loginmsg); | ||
| 267 | buffer_append(&loginmsg, "\0", 1); | ||
| 268 | msg = buffer_ptr(&loginmsg); | ||
| 269 | /* strip trailing newlines */ | ||
| 270 | if (len > 0) | ||
| 271 | while (len > 0 && msg[--len] == '\n') | ||
| 272 | msg[len] = '\0'; | ||
| 273 | else | ||
| 274 | msg = "Access denied."; | ||
| 275 | packet_disconnect(msg); | ||
| 276 | } | ||
| 256 | #endif | 277 | #endif |
| 257 | 278 | ||
| 258 | /* Log before sending the reply */ | 279 | /* Log before sending the reply */ |
| @@ -266,8 +287,12 @@ do_authloop(Authctxt *authctxt) | |||
| 266 | if (authenticated) | 287 | if (authenticated) |
| 267 | return; | 288 | return; |
| 268 | 289 | ||
| 269 | if (authctxt->failures++ > options.max_authtries) | 290 | if (authctxt->failures++ > options.max_authtries) { |
| 291 | #ifdef SSH_AUDIT_EVENTS | ||
| 292 | PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES)); | ||
| 293 | #endif | ||
| 270 | packet_disconnect(AUTH_FAIL_MSG, authctxt->user); | 294 | packet_disconnect(AUTH_FAIL_MSG, authctxt->user); |
| 295 | } | ||
| 271 | 296 | ||
| 272 | packet_start(SSH_SMSG_FAILURE); | 297 | packet_start(SSH_SMSG_FAILURE); |
| 273 | packet_send(); | 298 | packet_send(); |