merge of OPENSSH_3_6_1P1_SIMON_20030411

[gssapi-openssh.git] / openssh / auth2.c

diff --git a/openssh/auth2.c b/openssh/auth2.c
index fcab3354706ced4f1ec67b517649247c4a47d6c3..4c19365b49e90660e3fbd310d4e088fc89633757 100644 (file)
--- a/openssh/auth2.c
+++ b/openssh/auth2.c
@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.95 2002/08/22 21:33:58 markus Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.96 2003/02/06 21:22:43 markus Exp $");
 
 #include "ssh2.h"
 #include "ssh1.h"
@@ -232,6 +232,10 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
                authctxt->style = style ? xstrdup(style) : NULL;
                if (use_privsep && (authctxt->attempt == 1))
                        mm_inform_authserv(service, style);
+       } else if (strcmp(service, authctxt->service) != 0) {
+               packet_disconnect("Change of service not allowed: "
+                   "(%s,%s) -> (%s,%s)",
+                   authctxt->user, authctxt->service, user, service);
        }
        /* reset state */
        auth2_challenge_stop(authctxt);
@@ -249,7 +253,6 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
                debug2("input_userauth_request: try method %s", method);
                authenticated = m->userauth(authctxt);
        }
-
        userauth_finish(authctxt, authenticated, method);
 
        xfree(service);
@@ -267,8 +270,7 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
                    authctxt->user);
 
        /* Special handling for root */
-       if (!use_privsep &&
-           authenticated && authctxt->pw->pw_uid == 0 &&
+       if (authenticated && authctxt->pw->pw_uid == 0 &&
            !auth_root_allowed(method))
                authenticated = 0;