- (dtucker) [auth-pam.c auth-pam.h session.c] Bug #890: Send output from

failing PAM session modules to user then exit, similar to the way /etc/nologin is handled. ok djm@
2024-12-22 10:00:14 +00:00 · 2004-09-11 22:17:26 +10:00 · 2004-09-11 22:17:26 +10:00 · 69687f4b65
commit 69687f4b65
parent 928a19ad9e
4 changed files with 28 additions and 6 deletions
--- a/5
+++ b/5
@ -1,5 +1,8 @@
 20040911
 - (djm) [ssh-agent.c] unifdef some cygwin code; ok dtucker@
+ - (dtucker) [auth-pam.c auth-pam.h session.c] Bug #890: Send output from
+   failing PAM session modules to user then exit, similar to the way
+   /etc/nologin is handled.  ok djm@

 20040830
 - (dtucker) [session.c openbsd-compat/bsd-cygwin_util.{c,h}] Bug #915: only
@ -1719,4 +1722,4 @@
   - (djm) Trim deprecated options from INSTALL. Mention UsePAM
   - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu

-$Id: ChangeLog,v 1.3540 2004/09/11 05:18:05 djm Exp $
+$Id: ChangeLog,v 1.3541 2004/09/11 12:17:26 dtucker Exp $
--- a/auth-pam.c
+++ b/auth-pam.c
@ -47,7 +47,7 @@

 /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
 #include "includes.h"
-RCSID("$Id: auth-pam.c,v 1.114 2004/08/16 13:12:06 dtucker Exp $");
+RCSID("$Id: auth-pam.c,v 1.115 2004/09/11 12:17:26 dtucker Exp $");

 #ifdef USE_PAM
 #if defined(HAVE_SECURITY_PAM_APPL_H)
@ -949,10 +949,21 @@ do_pam_session(void)
 		fatal("PAM: failed to set PAM_CONV: %s",
 		    pam_strerror(sshpam_handle, sshpam_err));
 	sshpam_err = pam_open_session(sshpam_handle, 0);
-	if (sshpam_err != PAM_SUCCESS)
-		fatal("PAM: pam_open_session(): %s",
+	if (sshpam_err == PAM_SUCCESS)
+		sshpam_session_open = 1;
+	else {
+		sshpam_session_open = 0;
+		disable_forwarding();
+		error("PAM: pam_open_session(): %s",
 		    pam_strerror(sshpam_handle, sshpam_err));
-	sshpam_session_open = 1;
+	}
+
+}
+
+int
+is_pam_session_open(void)
+{
+	return sshpam_session_open;
 }

 /*
--- a/auth-pam.h
+++ b/auth-pam.h
@ -1,4 +1,4 @@
-/* $Id: auth-pam.h,v 1.26 2004/05/30 10:43:59 dtucker Exp $ */
+/* $Id: auth-pam.h,v 1.27 2004/09/11 12:17:26 dtucker Exp $ */

 /*
 * Copyright (c) 2000 Damien Miller.  All rights reserved.
@ -45,5 +45,6 @@ void free_pam_environment(char **);
 void sshpam_thread_cleanup(void);
 void sshpam_cleanup(void);
 int sshpam_auth_passwd(Authctxt *, const char *);
+int is_pam_session_open(void);

 #endif /* USE_PAM */
--- a/session.c
+++ b/session.c
@ -1439,6 +1439,13 @@ do_child(Session *s, const char *command)
 #endif /* HAVE_OSF_SIA */
 	}

+#ifdef USE_PAM
+	if (options.use_pam && !is_pam_session_open()) {
+		display_loginmsg();
+		exit(254);
+	}
+#endif
+
 	/*
 	 * Get the shell from the password data.  An empty shell field is
 	 * legal, and means /bin/sh.