X-Git-Url: http://andersk.mit.edu/gitweb/gssapi-openssh.git/blobdiff_plain/7e82606eb98e6071e4ad650b91a75933c1358485..97f0f2cce4eeef89047da2228a6bea6274065f1e:/openssh/auth2.c?ds=sidebyside

diff --git a/openssh/auth2.c b/openssh/auth2.c
index e9aaad8..48da9a9 100644
--- a/openssh/auth2.c
+++ b/openssh/auth2.c
@@ -35,6 +35,7 @@ RCSID("$OpenBSD: auth2.c,v 1.107 2004/07/28 09:40:29 markus Exp $");
 #include "dispatch.h"
 #include "pathnames.h"
 #include "monitor_wrap.h"
+#include "buffer.h"
 
 #ifdef GSSAPI
 #include "ssh-gss.h"
@@ -44,6 +45,7 @@ RCSID("$OpenBSD: auth2.c,v 1.107 2004/07/28 09:40:29 markus Exp $");
 extern ServerOptions options;
 extern u_char *session_id2;
 extern u_int session_id2_len;
+extern Buffer loginmsg;
 
 /* methods */
 
@@ -179,14 +181,6 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
 		    xfree(authctxt->user);
 		    authctxt->user = NULL;
 		}
-		if (authctxt->service) {
-		    xfree(authctxt->service);
-		    authctxt->service = NULL;
-		}
-		if (authctxt->style) {
-		    xfree(authctxt->style);
-		    authctxt->style = NULL;
-		}
 		authctxt->valid = 0;
 #ifdef GSSAPI
 		/* If we're going to set the username based on the
@@ -214,6 +208,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
 #ifdef USE_PAM
 			if (options.use_pam)
 				PRIVSEP(start_pam(authctxt));
+#endif
+#ifdef SSH_AUDIT_EVENTS
+			PRIVSEP(audit_event(SSH_INVALID_USER));
 #endif
 		}
 #ifdef GSSAPI
@@ -221,11 +218,18 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
 #endif
 		setproctitle("%s%s", authctxt->valid ? user : "unknown",
 		    use_privsep ? " [net]" : "");
+#ifdef GSSAPI
+		if (authctxt->attempt == 1) {
+#endif
 		authctxt->service = xstrdup(service);
 		authctxt->style = style ? xstrdup(style) : NULL;
-		if (use_privsep && (authctxt->attempt == 1))
+		if (use_privsep)
 			mm_inform_authserv(service, style);
-	} else if (strcmp(service, authctxt->service) != 0) {
+#ifdef GSSAPI
+		} /* if (authctxt->attempt == 1) */
+#endif
+	}
+	if (strcmp(service, authctxt->service) != 0) {
 		packet_disconnect("Change of service not allowed: "
 		    "(%s,%s) -> (%s,%s)",
 		    authctxt->user, authctxt->service, user, service);
@@ -264,12 +268,26 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
 
 	/* Special handling for root */
 	if (authenticated && authctxt->pw->pw_uid == 0 &&
-	    !auth_root_allowed(method))
+	    !auth_root_allowed(method)) {
 		authenticated = 0;
+#ifdef SSH_AUDIT_EVENTS
+		PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED));
+#endif
+	}
 
 #ifdef USE_PAM
-	if (options.use_pam && authenticated && !PRIVSEP(do_pam_account()))
-		authenticated = 0;
+	if (options.use_pam && authenticated) {
+		if (!PRIVSEP(do_pam_account())) {
+			/* if PAM returned a message, send it to the user */
+			if (buffer_len(&loginmsg) > 0) {
+				buffer_append(&loginmsg, "\0", 1);
+				userauth_send_banner(buffer_ptr(&loginmsg));
+				packet_write_wait();
+			}
+			fatal("Access denied for user %s by PAM account "
+			   "configuration", authctxt->user);
+		}
+	}
 #endif
 
 #ifdef _UNICOS
@@ -295,8 +313,12 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
 		/* now we can break out */
 		authctxt->success = 1;
 	} else {
-		if (authctxt->failures++ > options.max_authtries)
+		if (authctxt->failures++ > options.max_authtries) {
+#ifdef SSH_AUDIT_EVENTS
+			PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
+#endif
 			packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
+		}
 		methods = authmethods_get();
 		packet_start(SSH2_MSG_USERAUTH_FAILURE);
 		packet_put_cstring(methods);