- (djm) Don't accept PAM_PROMPT_ECHO_ON messages during initial auth

2024-11-27 14:44:21 +08:00 · 2000-10-14 11:16:12 +11:00 · 2000-10-14 11:16:12 +11:00 · 60819b44bd
commit 60819b44bd
parent 48b7cc0dd7
2 changed files with 18 additions and 8 deletions
--- a/3
+++ b/3
@ -1,3 +1,6 @@
+20001014
+ - (djm) Don't accept PAM_PROMPT_ECHO_ON messages during initial auth
+
 20001007
 - (stevesk) Print PAM return value in PAM log messages to aid
   with debugging.
--- a/auth-pam.c
+++ b/auth-pam.c
@ -29,7 +29,7 @@
 #include "xmalloc.h"
 #include "servconf.h"

-RCSID("$Id: auth-pam.c,v 1.14 2000/10/07 11:16:55 stevesk Exp $");
+RCSID("$Id: auth-pam.c,v 1.15 2000/10/14 00:16:12 djm Exp $");

 #define NEW_AUTHTOK_MSG \
 	"Warning: Your password has expired, please change it now"
@ -83,11 +83,16 @@ static int pamconv(int num_msg, const struct pam_message **msg,
 	for (count = 0; count < num_msg; count++) {
 		switch ((*msg)[count].msg_style) {
 			case PAM_PROMPT_ECHO_ON:
-				fputs((*msg)[count].msg, stderr);
-				fgets(buf, sizeof(buf), stdin);
-				reply[count].resp = xstrdup(buf);
-				reply[count].resp_retcode = PAM_SUCCESS;
-				break;
+				if (pamstate == INITIAL_LOGIN) {
+					free(reply);
+					return PAM_CONV_ERR;
+				} else {
+					fputs((*msg)[count].msg, stderr);
+					fgets(buf, sizeof(buf), stdin);
+					reply[count].resp = xstrdup(buf);
+					reply[count].resp_retcode = PAM_SUCCESS;
+					break;
+				}
 			case PAM_PROMPT_ECHO_OFF:
 				if (pamstate == INITIAL_LOGIN) {
 					if (pampasswd == NULL) {
@ -95,8 +100,10 @@ static int pamconv(int num_msg, const struct pam_message **msg,
 						return PAM_CONV_ERR;
 					}
 					reply[count].resp = xstrdup(pampasswd);
-				} else
-					reply[count].resp = xstrdup(read_passphrase((*msg)[count].msg, 1));
+				} else {
+					reply[count].resp = 
+						xstrdup(read_passphrase((*msg)[count].msg, 1));
+				}
 				reply[count].resp_retcode = PAM_SUCCESS;
 				break;
 			case PAM_ERROR_MSG: