X-Git-Url: http://andersk.mit.edu/gitweb/gssapi-openssh.git/blobdiff_plain/885ffc2bd8d0c1b730c589613b724b44fed75baf..97f0f2cce4eeef89047da2228a6bea6274065f1e:/openssh/auth2.c

diff --git a/openssh/auth2.c b/openssh/auth2.c
index ba791f3..48da9a9 100644
--- a/openssh/auth2.c
+++ b/openssh/auth2.c
@@ -35,6 +35,7 @@ RCSID("$OpenBSD: auth2.c,v 1.107 2004/07/28 09:40:29 markus Exp $");
 #include "dispatch.h"
 #include "pathnames.h"
 #include "monitor_wrap.h"
+#include "buffer.h"
 
 #ifdef GSSAPI
 #include "ssh-gss.h"
@@ -44,6 +45,7 @@ RCSID("$OpenBSD: auth2.c,v 1.107 2004/07/28 09:40:29 markus Exp $");
 extern ServerOptions options;
 extern u_char *session_id2;
 extern u_int session_id2_len;
+extern Buffer loginmsg;
 
 /* methods */
 
@@ -178,8 +180,8 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
 		if (authctxt->user) {
 		    xfree(authctxt->user);
 		    authctxt->user = NULL;
-		    authctxt->valid = 0;
 		}
+		authctxt->valid = 0;
 #ifdef GSSAPI
 		/* If we're going to set the username based on the
 		   GSSAPI context later, then wait until then to
@@ -206,6 +208,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
 #ifdef USE_PAM
 			if (options.use_pam)
 				PRIVSEP(start_pam(authctxt));
+#endif
+#ifdef SSH_AUDIT_EVENTS
+			PRIVSEP(audit_event(SSH_INVALID_USER));
 #endif
 		}
 #ifdef GSSAPI
@@ -213,12 +218,16 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
 #endif
 		setproctitle("%s%s", authctxt->valid ? user : "unknown",
 		    use_privsep ? " [net]" : "");
-		if (authctxt->service == NULL) /* only set once */
-		    authctxt->service = xstrdup(service);
-		if (authctxt->style == NULL) /* only set once */
-		    authctxt->style = style ? xstrdup(style) : NULL;
-		if (use_privsep && (authctxt->attempt == 1))
+#ifdef GSSAPI
+		if (authctxt->attempt == 1) {
+#endif
+		authctxt->service = xstrdup(service);
+		authctxt->style = style ? xstrdup(style) : NULL;
+		if (use_privsep)
 			mm_inform_authserv(service, style);
+#ifdef GSSAPI
+		} /* if (authctxt->attempt == 1) */
+#endif
 	}
 	if (strcmp(service, authctxt->service) != 0) {
 		packet_disconnect("Change of service not allowed: "
@@ -259,12 +268,26 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
 
 	/* Special handling for root */
 	if (authenticated && authctxt->pw->pw_uid == 0 &&
-	    !auth_root_allowed(method))
+	    !auth_root_allowed(method)) {
 		authenticated = 0;
+#ifdef SSH_AUDIT_EVENTS
+		PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED));
+#endif
+	}
 
 #ifdef USE_PAM
-	if (options.use_pam && authenticated && !PRIVSEP(do_pam_account()))
-		authenticated = 0;
+	if (options.use_pam && authenticated) {
+		if (!PRIVSEP(do_pam_account())) {
+			/* if PAM returned a message, send it to the user */
+			if (buffer_len(&loginmsg) > 0) {
+				buffer_append(&loginmsg, "\0", 1);
+				userauth_send_banner(buffer_ptr(&loginmsg));
+				packet_write_wait();
+			}
+			fatal("Access denied for user %s by PAM account "
+			   "configuration", authctxt->user);
+		}
+	}
 #endif
 
 #ifdef _UNICOS
@@ -290,8 +313,12 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
 		/* now we can break out */
 		authctxt->success = 1;
 	} else {
-		if (authctxt->failures++ > options.max_authtries)
+		if (authctxt->failures++ > options.max_authtries) {
+#ifdef SSH_AUDIT_EVENTS
+			PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
+#endif
 			packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
+		}
 		methods = authmethods_get();
 		packet_start(SSH2_MSG_USERAUTH_FAILURE);
 		packet_put_cstring(methods);