diff --git a/ChangeLog b/ChangeLog index 35a7d07ae..fd92678f3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,10 @@ - add -O - sync -S w/ manpage - remove -h + - (dtucker) [auth1.c auth2.c] If the user successfully authenticates but is + subsequently denied by the PAM auth stack, send the PAM message to the + user via packet_disconnect (Protocol 1) or userauth_banner (Protocol 2). + ok djm@ 20041107 - (dtucker) OpenBSD CVS Sync @@ -1866,4 +1870,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3583 2004/12/03 03:10:19 dtucker Exp $ +$Id: ChangeLog,v 1.3584 2004/12/03 03:33:47 dtucker Exp $ diff --git a/auth1.c b/auth1.c index 3f93b9869..2a9d18b9a 100644 --- a/auth1.c +++ b/auth1.c @@ -25,9 +25,11 @@ RCSID("$OpenBSD: auth1.c,v 1.59 2004/07/28 09:40:29 markus Exp $"); #include "session.h" #include "uidswap.h" #include "monitor_wrap.h" +#include "buffer.h" /* import */ extern ServerOptions options; +extern Buffer loginmsg; /* * convert ssh auth msg type into description @@ -251,8 +253,23 @@ do_authloop(Authctxt *authctxt) #ifdef USE_PAM if (options.use_pam && authenticated && - !PRIVSEP(do_pam_account())) - authenticated = 0; + !PRIVSEP(do_pam_account())) { + char *msg; + size_t len; + + error("Access denied for user %s by PAM account " + "configuration", authctxt->user); + len = buffer_len(&loginmsg); + buffer_append(&loginmsg, "\0", 1); + msg = buffer_ptr(&loginmsg); + /* strip trailing newlines */ + if (len > 0) + while (len > 0 && msg[--len] == '\n') + msg[len] = '\0'; + else + msg = "Access denied."; + packet_disconnect(msg); + } #endif /* Log before sending the reply */ diff --git a/auth2.c b/auth2.c index 57e6db46b..60e261f7f 100644 --- a/auth2.c +++ b/auth2.c @@ -220,13 +220,14 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) #ifdef USE_PAM if (options.use_pam && authenticated) { if (!PRIVSEP(do_pam_account())) { - authenticated = 0; /* if PAM returned a message, send it to the user */ if (buffer_len(&loginmsg) > 0) { buffer_append(&loginmsg, "\0", 1); userauth_send_banner(buffer_ptr(&loginmsg)); - buffer_clear(&loginmsg); + packet_write_wait(); } + fatal("Access denied for user %s by PAM account " + "configuration", authctxt->user); } } #endif