- (dtucker) [auth1.c auth2.c] If the user successfully authenticates but is

subsequently denied by the PAM auth stack, send the PAM message to the user via packet_disconnect (Protocol 1) or userauth_banner (Protocol 2). ok djm@
2024-11-24 10:53:24 +08:00 · 2004-12-03 14:33:47 +11:00 · 2004-12-03 14:33:47 +11:00 · c13866719f
commit c13866719f
parent 9c6bf325c0
3 changed files with 27 additions and 5 deletions
--- a/6
+++ b/6
@ -9,6 +9,10 @@
     - add -O
     - sync -S w/ manpage
     - remove -h
+ - (dtucker) [auth1.c auth2.c] If the user successfully authenticates but is
+   subsequently denied by the PAM auth stack, send the PAM message to the
+   user via packet_disconnect (Protocol 1) or userauth_banner (Protocol 2).
+   ok djm@

 20041107
 - (dtucker) OpenBSD CVS Sync
@ -1866,4 +1870,4 @@
   - (djm) Trim deprecated options from INSTALL. Mention UsePAM
   - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu

-$Id: ChangeLog,v 1.3583 2004/12/03 03:10:19 dtucker Exp $
+$Id: ChangeLog,v 1.3584 2004/12/03 03:33:47 dtucker Exp $
--- a/auth1.c
+++ b/auth1.c
@ -25,9 +25,11 @@ RCSID("$OpenBSD: auth1.c,v 1.59 2004/07/28 09:40:29 markus Exp $");
 #include "session.h"
 #include "uidswap.h"
 #include "monitor_wrap.h"
+#include "buffer.h"

 /* import */
 extern ServerOptions options;
+extern Buffer loginmsg;

 /*
 * convert ssh auth msg type into description
@ -251,8 +253,23 @@ do_authloop(Authctxt *authctxt)

 #ifdef USE_PAM
 		if (options.use_pam && authenticated &&
-		    !PRIVSEP(do_pam_account()))
-			authenticated = 0;
+		    !PRIVSEP(do_pam_account())) {
+			char *msg;
+			size_t len;
+
+			error("Access denied for user %s by PAM account "
+			   "configuration", authctxt->user);
+			len = buffer_len(&loginmsg);
+			buffer_append(&loginmsg, "\0", 1);
+			msg = buffer_ptr(&loginmsg);
+			/* strip trailing newlines */
+			if (len > 0)
+				while (len > 0 && msg[--len] == '\n')
+					msg[len] = '\0';
+			else
+				msg = "Access denied.";
+			packet_disconnect(msg);
+		}
 #endif

 		/* Log before sending the reply */
--- a/auth2.c
+++ b/auth2.c
@ -220,13 +220,14 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
 #ifdef USE_PAM
 	if (options.use_pam && authenticated) {
 		if (!PRIVSEP(do_pam_account())) {
-			authenticated = 0;
 			/* if PAM returned a message, send it to the user */
 			if (buffer_len(&loginmsg) > 0) {
 				buffer_append(&loginmsg, "\0", 1);
 				userauth_send_banner(buffer_ptr(&loginmsg));
-				buffer_clear(&loginmsg);
+				packet_write_wait();
 			}
+			fatal("Access denied for user %s by PAM account "
+			   "configuration", authctxt->user);
 		}
 	}
 #endif