- (dtucker) [auth-pam.c] Bug #1188: pass result of do_pam_account back and

do not allow kbdint again after the PAM account check fails.  ok djm@
This commit is contained in:
Darren Tucker 2006-05-15 17:22:33 +10:00
parent cefd8bb36d
commit 2c77b7f1c1
2 changed files with 19 additions and 6 deletions

View File

@ -5,6 +5,8 @@
georg.schwarz at freenet.de, ok djm@. georg.schwarz at freenet.de, ok djm@.
- (dtucker) [defines.h] Find a value for IOV_MAX or use a conservative - (dtucker) [defines.h] Find a value for IOV_MAX or use a conservative
default. Patch originally from tim@, ok djm default. Patch originally from tim@, ok djm
- (dtucker) [auth-pam.c] Bug #1188: pass result of do_pam_account back and
do not allow kbdint again after the PAM account check fails. ok djm@
20050506 20050506
- (dtucker) OpenBSD CVS Syn - (dtucker) OpenBSD CVS Syn
@ -4619,4 +4621,4 @@
- (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Trim deprecated options from INSTALL. Mention UsePAM
- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
$Id: ChangeLog,v 1.4326 2006/05/15 07:17:29 dtucker Exp $ $Id: ChangeLog,v 1.4327 2006/05/15 07:22:33 dtucker Exp $

View File

@ -445,8 +445,10 @@ sshpam_thread(void *ctxtp)
goto auth_fail; goto auth_fail;
if (compat20) { if (compat20) {
if (!do_pam_account()) if (!do_pam_account()) {
sshpam_err = PAM_ACCT_EXPIRED;
goto auth_fail; goto auth_fail;
}
if (sshpam_authctxt->force_pwchange) { if (sshpam_authctxt->force_pwchange) {
sshpam_err = pam_chauthtok(sshpam_handle, sshpam_err = pam_chauthtok(sshpam_handle,
PAM_CHANGE_EXPIRED_AUTHTOK); PAM_CHANGE_EXPIRED_AUTHTOK);
@ -488,7 +490,10 @@ sshpam_thread(void *ctxtp)
buffer_put_cstring(&buffer, buffer_put_cstring(&buffer,
pam_strerror(sshpam_handle, sshpam_err)); pam_strerror(sshpam_handle, sshpam_err));
/* XXX - can't do much about an error here */ /* XXX - can't do much about an error here */
ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer); if (sshpam_err == PAM_ACCT_EXPIRED)
ssh_msg_send(ctxt->pam_csock, PAM_ACCT_EXPIRED, &buffer);
else
ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer);
buffer_free(&buffer); buffer_free(&buffer);
pthread_exit(NULL); pthread_exit(NULL);
@ -643,8 +648,11 @@ sshpam_init_ctx(Authctxt *authctxt)
int socks[2]; int socks[2];
debug3("PAM: %s entering", __func__); debug3("PAM: %s entering", __func__);
/* Refuse to start if we don't have PAM enabled */ /*
if (!options.use_pam) * Refuse to start if we don't have PAM enabled or do_pam_account
* has previously failed.
*/
if (!options.use_pam || sshpam_account_status == 0)
return NULL; return NULL;
/* Initialize PAM */ /* Initialize PAM */
@ -721,8 +729,11 @@ sshpam_query(void *ctx, char **name, char **info,
plen++; plen++;
xfree(msg); xfree(msg);
break; break;
case PAM_ACCT_EXPIRED:
sshpam_account_status = 0;
/* FALLTHROUGH */
case PAM_AUTH_ERR: case PAM_AUTH_ERR:
debug3("PAM: PAM_AUTH_ERR"); debug3("PAM: %s", pam_strerror(sshpam_handle, type));
if (**prompts != NULL && strlen(**prompts) != 0) { if (**prompts != NULL && strlen(**prompts) != 0) {
*info = **prompts; *info = **prompts;
**prompts = NULL; **prompts = NULL;