diff --git a/ChangeLog b/ChangeLog index dffdd3713..2fed3fb38 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,8 @@ 20040911 - (djm) [ssh-agent.c] unifdef some cygwin code; ok dtucker@ + - (dtucker) [auth-pam.c auth-pam.h session.c] Bug #890: Send output from + failing PAM session modules to user then exit, similar to the way + /etc/nologin is handled. ok djm@ 20040830 - (dtucker) [session.c openbsd-compat/bsd-cygwin_util.{c,h}] Bug #915: only @@ -1719,4 +1722,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3540 2004/09/11 05:18:05 djm Exp $ +$Id: ChangeLog,v 1.3541 2004/09/11 12:17:26 dtucker Exp $ diff --git a/auth-pam.c b/auth-pam.c index b93241f48..27b9bab23 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -47,7 +47,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.114 2004/08/16 13:12:06 dtucker Exp $"); +RCSID("$Id: auth-pam.c,v 1.115 2004/09/11 12:17:26 dtucker Exp $"); #ifdef USE_PAM #if defined(HAVE_SECURITY_PAM_APPL_H) @@ -949,10 +949,21 @@ do_pam_session(void) fatal("PAM: failed to set PAM_CONV: %s", pam_strerror(sshpam_handle, sshpam_err)); sshpam_err = pam_open_session(sshpam_handle, 0); - if (sshpam_err != PAM_SUCCESS) - fatal("PAM: pam_open_session(): %s", + if (sshpam_err == PAM_SUCCESS) + sshpam_session_open = 1; + else { + sshpam_session_open = 0; + disable_forwarding(); + error("PAM: pam_open_session(): %s", pam_strerror(sshpam_handle, sshpam_err)); - sshpam_session_open = 1; + } + +} + +int +is_pam_session_open(void) +{ + return sshpam_session_open; } /* diff --git a/auth-pam.h b/auth-pam.h index f479413d7..a1a2b52d8 100644 --- a/auth-pam.h +++ b/auth-pam.h @@ -1,4 +1,4 @@ -/* $Id: auth-pam.h,v 1.26 2004/05/30 10:43:59 dtucker Exp $ */ +/* $Id: auth-pam.h,v 1.27 2004/09/11 12:17:26 dtucker Exp $ */ /* * Copyright (c) 2000 Damien Miller. All rights reserved. @@ -45,5 +45,6 @@ void free_pam_environment(char **); void sshpam_thread_cleanup(void); void sshpam_cleanup(void); int sshpam_auth_passwd(Authctxt *, const char *); +int is_pam_session_open(void); #endif /* USE_PAM */ diff --git a/session.c b/session.c index 89e1ec892..7a70b82e6 100644 --- a/session.c +++ b/session.c @@ -1439,6 +1439,13 @@ do_child(Session *s, const char *command) #endif /* HAVE_OSF_SIA */ } +#ifdef USE_PAM + if (options.use_pam && !is_pam_session_open()) { + display_loginmsg(); + exit(254); + } +#endif + /* * Get the shell from the password data. An empty shell field is * legal, and means /bin/sh.