From c13866719fc39d5feebfb80ca251a7b31583d803 Mon Sep 17 00:00:00 2001
From: Darren Tucker <dtucker@zip.com.au>
Date: Fri, 3 Dec 2004 14:33:47 +1100
Subject:  - (dtucker) [auth1.c auth2.c] If the user successfully authenticates
 but is    subsequently denied by the PAM auth stack, send the PAM message to
 the    user via packet_disconnect (Protocol 1) or userauth_banner (Protocol
 2).    ok djm@

---
 ChangeLog |  6 +++++-
 auth1.c   | 21 +++++++++++++++++++--
 auth2.c   |  5 +++--
 3 files changed, 27 insertions(+), 5 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 35a7d07ae..fd92678f3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -9,6 +9,10 @@
      - add -O
      - sync -S w/ manpage
      - remove -h
+ - (dtucker) [auth1.c auth2.c] If the user successfully authenticates but is
+   subsequently denied by the PAM auth stack, send the PAM message to the
+   user via packet_disconnect (Protocol 1) or userauth_banner (Protocol 2).
+   ok djm@
 
 20041107
  - (dtucker) OpenBSD CVS Sync
@@ -1866,4 +1870,4 @@
    - (djm) Trim deprecated options from INSTALL. Mention UsePAM
    - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
 
-$Id: ChangeLog,v 1.3583 2004/12/03 03:10:19 dtucker Exp $
+$Id: ChangeLog,v 1.3584 2004/12/03 03:33:47 dtucker Exp $
diff --git a/auth1.c b/auth1.c
index 3f93b9869..2a9d18b9a 100644
--- a/auth1.c
+++ b/auth1.c
@@ -25,9 +25,11 @@ RCSID("$OpenBSD: auth1.c,v 1.59 2004/07/28 09:40:29 markus Exp $");
 #include "session.h"
 #include "uidswap.h"
 #include "monitor_wrap.h"
+#include "buffer.h"
 
 /* import */
 extern ServerOptions options;
+extern Buffer loginmsg;
 
 /*
  * convert ssh auth msg type into description
@@ -251,8 +253,23 @@ do_authloop(Authctxt *authctxt)
 
 #ifdef USE_PAM
 		if (options.use_pam && authenticated &&
-		    !PRIVSEP(do_pam_account()))
-			authenticated = 0;
+		    !PRIVSEP(do_pam_account())) {
+			char *msg;
+			size_t len;
+
+			error("Access denied for user %s by PAM account "
+			   "configuration", authctxt->user);
+			len = buffer_len(&loginmsg);
+			buffer_append(&loginmsg, "\0", 1);
+			msg = buffer_ptr(&loginmsg);
+			/* strip trailing newlines */
+			if (len > 0)
+				while (len > 0 && msg[--len] == '\n')
+					msg[len] = '\0';
+			else
+				msg = "Access denied.";
+			packet_disconnect(msg);
+		}
 #endif
 
 		/* Log before sending the reply */
diff --git a/auth2.c b/auth2.c
index 57e6db46b..60e261f7f 100644
--- a/auth2.c
+++ b/auth2.c
@@ -220,13 +220,14 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
 #ifdef USE_PAM
 	if (options.use_pam && authenticated) {
 		if (!PRIVSEP(do_pam_account())) {
-			authenticated = 0;
 			/* if PAM returned a message, send it to the user */
 			if (buffer_len(&loginmsg) > 0) {
 				buffer_append(&loginmsg, "\0", 1);
 				userauth_send_banner(buffer_ptr(&loginmsg));
-				buffer_clear(&loginmsg);
+				packet_write_wait();
 			}
+			fatal("Access denied for user %s by PAM account "
+			   "configuration", authctxt->user);
 		}
 	}
 #endif
-- 
cgit v1.2.3