- (dtucker) [auth1.c auth2.c] If the user successfully authenticates but is

subsequently denied by the PAM auth stack, send the PAM message to the
   user via packet_disconnect (Protocol 1) or userauth_banner (Protocol 2).
   ok djm@
This commit is contained in:
Darren Tucker 2004-12-03 14:33:47 +11:00
parent 9c6bf325c0
commit c13866719f
3 changed files with 27 additions and 5 deletions

View File

@ -9,6 +9,10 @@
- add -O - add -O
- sync -S w/ manpage - sync -S w/ manpage
- remove -h - remove -h
- (dtucker) [auth1.c auth2.c] If the user successfully authenticates but is
subsequently denied by the PAM auth stack, send the PAM message to the
user via packet_disconnect (Protocol 1) or userauth_banner (Protocol 2).
ok djm@
20041107 20041107
- (dtucker) OpenBSD CVS Sync - (dtucker) OpenBSD CVS Sync
@ -1866,4 +1870,4 @@
- (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Trim deprecated options from INSTALL. Mention UsePAM
- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
$Id: ChangeLog,v 1.3583 2004/12/03 03:10:19 dtucker Exp $ $Id: ChangeLog,v 1.3584 2004/12/03 03:33:47 dtucker Exp $

21
auth1.c
View File

@ -25,9 +25,11 @@ RCSID("$OpenBSD: auth1.c,v 1.59 2004/07/28 09:40:29 markus Exp $");
#include "session.h" #include "session.h"
#include "uidswap.h" #include "uidswap.h"
#include "monitor_wrap.h" #include "monitor_wrap.h"
#include "buffer.h"
/* import */ /* import */
extern ServerOptions options; extern ServerOptions options;
extern Buffer loginmsg;
/* /*
* convert ssh auth msg type into description * convert ssh auth msg type into description
@ -251,8 +253,23 @@ do_authloop(Authctxt *authctxt)
#ifdef USE_PAM #ifdef USE_PAM
if (options.use_pam && authenticated && if (options.use_pam && authenticated &&
!PRIVSEP(do_pam_account())) !PRIVSEP(do_pam_account())) {
authenticated = 0; char *msg;
size_t len;
error("Access denied for user %s by PAM account "
"configuration", authctxt->user);
len = buffer_len(&loginmsg);
buffer_append(&loginmsg, "\0", 1);
msg = buffer_ptr(&loginmsg);
/* strip trailing newlines */
if (len > 0)
while (len > 0 && msg[--len] == '\n')
msg[len] = '\0';
else
msg = "Access denied.";
packet_disconnect(msg);
}
#endif #endif
/* Log before sending the reply */ /* Log before sending the reply */

View File

@ -220,13 +220,14 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
#ifdef USE_PAM #ifdef USE_PAM
if (options.use_pam && authenticated) { if (options.use_pam && authenticated) {
if (!PRIVSEP(do_pam_account())) { if (!PRIVSEP(do_pam_account())) {
authenticated = 0;
/* if PAM returned a message, send it to the user */ /* if PAM returned a message, send it to the user */
if (buffer_len(&loginmsg) > 0) { if (buffer_len(&loginmsg) > 0) {
buffer_append(&loginmsg, "\0", 1); buffer_append(&loginmsg, "\0", 1);
userauth_send_banner(buffer_ptr(&loginmsg)); userauth_send_banner(buffer_ptr(&loginmsg));
buffer_clear(&loginmsg); packet_write_wait();
} }
fatal("Access denied for user %s by PAM account "
"configuration", authctxt->user);
} }
} }
#endif #endif