Always send any PAM account messages.

If the PAM account stack reaturns any messages, send them to the user
not just if the check succeeds.  bz#2049, ok djm@
This commit is contained in:
Darren Tucker 2020-08-07 17:12:16 +10:00
parent a09e98dcae
commit ed6bef77f5
1 changed files with 12 additions and 12 deletions

24
auth2.c
View File

@ -390,20 +390,20 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *method,
#ifdef USE_PAM
if (options.use_pam && authenticated) {
int r;
int r, success = PRIVSEP(do_pam_account());
if (!PRIVSEP(do_pam_account())) {
/* if PAM returned a message, send it to the user */
if (sshbuf_len(loginmsg) > 0) {
if ((r = sshbuf_put(loginmsg, "\0", 1)) != 0)
fatal("%s: buffer error: %s",
__func__, ssh_err(r));
userauth_send_banner(ssh, sshbuf_ptr(loginmsg));
if ((r = ssh_packet_write_wait(ssh)) != 0) {
sshpkt_fatal(ssh, r,
"%s: send PAM banner", __func__);
}
/* If PAM returned a message, send it to the user. */
if (sshbuf_len(loginmsg) > 0) {
if ((r = sshbuf_put(loginmsg, "\0", 1)) != 0)
fatal("%s: buffer error: %s",
__func__, ssh_err(r));
userauth_send_banner(ssh, sshbuf_ptr(loginmsg));
if ((r = ssh_packet_write_wait(ssh)) != 0) {
sshpkt_fatal(ssh, r,
"%s: send PAM banner", __func__);
}
}
if (!success) {
fatal("Access denied for user %s by PAM account "
"configuration", authctxt->user);
}