mirror of git://anongit.mindrot.org/openssh.git
- (dtucker) [auth-pam.c] Bug #1188: pass result of do_pam_account back and
do not allow kbdint again after the PAM account check fails. ok djm@
This commit is contained in:
parent
cefd8bb36d
commit
2c77b7f1c1
|
@ -5,6 +5,8 @@
|
||||||
georg.schwarz at freenet.de, ok djm@.
|
georg.schwarz at freenet.de, ok djm@.
|
||||||
- (dtucker) [defines.h] Find a value for IOV_MAX or use a conservative
|
- (dtucker) [defines.h] Find a value for IOV_MAX or use a conservative
|
||||||
default. Patch originally from tim@, ok djm
|
default. Patch originally from tim@, ok djm
|
||||||
|
- (dtucker) [auth-pam.c] Bug #1188: pass result of do_pam_account back and
|
||||||
|
do not allow kbdint again after the PAM account check fails. ok djm@
|
||||||
|
|
||||||
20050506
|
20050506
|
||||||
- (dtucker) OpenBSD CVS Syn
|
- (dtucker) OpenBSD CVS Syn
|
||||||
|
@ -4619,4 +4621,4 @@
|
||||||
- (djm) Trim deprecated options from INSTALL. Mention UsePAM
|
- (djm) Trim deprecated options from INSTALL. Mention UsePAM
|
||||||
- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
|
- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
|
||||||
|
|
||||||
$Id: ChangeLog,v 1.4326 2006/05/15 07:17:29 dtucker Exp $
|
$Id: ChangeLog,v 1.4327 2006/05/15 07:22:33 dtucker Exp $
|
||||||
|
|
19
auth-pam.c
19
auth-pam.c
|
@ -445,8 +445,10 @@ sshpam_thread(void *ctxtp)
|
||||||
goto auth_fail;
|
goto auth_fail;
|
||||||
|
|
||||||
if (compat20) {
|
if (compat20) {
|
||||||
if (!do_pam_account())
|
if (!do_pam_account()) {
|
||||||
|
sshpam_err = PAM_ACCT_EXPIRED;
|
||||||
goto auth_fail;
|
goto auth_fail;
|
||||||
|
}
|
||||||
if (sshpam_authctxt->force_pwchange) {
|
if (sshpam_authctxt->force_pwchange) {
|
||||||
sshpam_err = pam_chauthtok(sshpam_handle,
|
sshpam_err = pam_chauthtok(sshpam_handle,
|
||||||
PAM_CHANGE_EXPIRED_AUTHTOK);
|
PAM_CHANGE_EXPIRED_AUTHTOK);
|
||||||
|
@ -488,6 +490,9 @@ sshpam_thread(void *ctxtp)
|
||||||
buffer_put_cstring(&buffer,
|
buffer_put_cstring(&buffer,
|
||||||
pam_strerror(sshpam_handle, sshpam_err));
|
pam_strerror(sshpam_handle, sshpam_err));
|
||||||
/* XXX - can't do much about an error here */
|
/* XXX - can't do much about an error here */
|
||||||
|
if (sshpam_err == PAM_ACCT_EXPIRED)
|
||||||
|
ssh_msg_send(ctxt->pam_csock, PAM_ACCT_EXPIRED, &buffer);
|
||||||
|
else
|
||||||
ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer);
|
ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer);
|
||||||
buffer_free(&buffer);
|
buffer_free(&buffer);
|
||||||
pthread_exit(NULL);
|
pthread_exit(NULL);
|
||||||
|
@ -643,8 +648,11 @@ sshpam_init_ctx(Authctxt *authctxt)
|
||||||
int socks[2];
|
int socks[2];
|
||||||
|
|
||||||
debug3("PAM: %s entering", __func__);
|
debug3("PAM: %s entering", __func__);
|
||||||
/* Refuse to start if we don't have PAM enabled */
|
/*
|
||||||
if (!options.use_pam)
|
* Refuse to start if we don't have PAM enabled or do_pam_account
|
||||||
|
* has previously failed.
|
||||||
|
*/
|
||||||
|
if (!options.use_pam || sshpam_account_status == 0)
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
||||||
/* Initialize PAM */
|
/* Initialize PAM */
|
||||||
|
@ -721,8 +729,11 @@ sshpam_query(void *ctx, char **name, char **info,
|
||||||
plen++;
|
plen++;
|
||||||
xfree(msg);
|
xfree(msg);
|
||||||
break;
|
break;
|
||||||
|
case PAM_ACCT_EXPIRED:
|
||||||
|
sshpam_account_status = 0;
|
||||||
|
/* FALLTHROUGH */
|
||||||
case PAM_AUTH_ERR:
|
case PAM_AUTH_ERR:
|
||||||
debug3("PAM: PAM_AUTH_ERR");
|
debug3("PAM: %s", pam_strerror(sshpam_handle, type));
|
||||||
if (**prompts != NULL && strlen(**prompts) != 0) {
|
if (**prompts != NULL && strlen(**prompts) != 0) {
|
||||||
*info = **prompts;
|
*info = **prompts;
|
||||||
**prompts = NULL;
|
**prompts = NULL;
|
||||||
|
|
Loading…
Reference in New Issue