void pam_cleanup_proc(void *context)
{
- int retval;
+ int pam_retval;
if (pamh != NULL)
{
- retval = pam_close_session((pam_handle_t *)pamh, 0);
-
- if (pam_end((pam_handle_t *)pamh, retval) != PAM_SUCCESS)
- log("Cannot release PAM authentication.");
+ pam_retval = pam_close_session((pam_handle_t *)pamh, 0);
+ if (pam_retval != PAM_SUCCESS)
+ {
+ log("Cannot close PAM session: %.200s",
+ pam_strerror((pam_handle_t *)pamh, pam_retval));
+ }
+
+ pam_retval = pam_end((pam_handle_t *)pamh, pam_retval);
+ if (pam_retval != PAM_SUCCESS)
+ {
+ log("Cannot release PAM authentication: %.200s",
+ pam_strerror((pam_handle_t *)pamh, pam_retval));
+ }
}
}
void do_pam_account_and_session(const char *username, const char *password, const char *remote_user, const char *remote_host)
{
- if (remote_host && (PAM_SUCCESS != pam_set_item((pam_handle_t *)pamh, PAM_RHOST, remote_host)))
+ int pam_retval;
+
+ if (remote_host != NULL)
{
- log("PAM setup failed.");
- eat_packets_and_disconnect(username);
+ debug("PAM setting rhost to \"%.200s\"", remote_host);
+ pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RHOST, remote_host);
+ if (pam_retval != PAM_SUCCESS)
+ {
+ log("PAM set rhost failed: %.200s", pam_strerror((pam_handle_t *)pamh, pam_retval));
+ eat_packets_and_disconnect(username);
+ }
}
-
- if (remote_user && (PAM_SUCCESS != pam_set_item((pam_handle_t *)pamh, PAM_RUSER, remote_user)))
+
+ if (remote_user != NULL)
{
- log("PAM setup failed.");
- eat_packets_and_disconnect(username);
+ debug("PAM setting ruser to \"%.200s\"", remote_user);
+ pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RUSER, remote_user);
+ if (pam_retval != PAM_SUCCESS)
+ {
+ log("PAM set ruser failed: %.200s", pam_strerror((pam_handle_t *)pamh, pam_retval));
+ eat_packets_and_disconnect(username);
+ }
}
-
- if (PAM_SUCCESS != pam_acct_mgmt((pam_handle_t *)pamh, 0))
+
+ pam_retval = pam_acct_mgmt((pam_handle_t *)pamh, 0);
+ if (pam_retval != PAM_SUCCESS)
{
- log("PAM rejected by account configuration.");
+ log("PAM rejected by account configuration: %.200s", pam_strerror((pam_handle_t *)pamh, pam_retval));
eat_packets_and_disconnect(username);
}
- if (PAM_SUCCESS != pam_open_session((pam_handle_t *)pamh, 0))
+ pam_retval = pam_open_session((pam_handle_t *)pamh, 0);
+ if (pam_retval != PAM_SUCCESS)
{
- log("PAM session setup failed.");
+ log("PAM session setup failed: %.200s", pam_strerror((pam_handle_t *)pamh, pam_retval));
eat_packets_and_disconnect(username);
}
}
if (pamh != NULL)
{
+ debug("Closing PAM session.");
retval = pam_close_session((pam_handle_t *)pamh, 0);
+ debug("Terminating PAM library.");
if (pam_end((pam_handle_t *)pamh, retval) != PAM_SUCCESS)
log("Cannot release PAM authentication.");
char *client_user = NULL;
unsigned int client_host_key_bits;
BIGNUM *client_host_key_e, *client_host_key_n;
-
+#ifdef HAVE_LIBPAM
+ int pam_retval;
+#endif /* HAVE_LIBPAM */
+
#ifdef AFS
/* If machine has AFS, set process authentication group. */
if (k_hasafs()) {
pw = &pwcopy;
#ifdef HAVE_LIBPAM
- if (PAM_SUCCESS != pam_start("sshd", pw->pw_name, &conv, (pam_handle_t**)&pamh))
+ debug("Starting up PAM with username \"%.200s\"", pw->pw_name);
+ pam_retval = pam_start("sshd", pw->pw_name, &conv, (pam_handle_t**)&pamh);
+ if (pam_retval != PAM_SUCCESS)
{
- packet_start(SSH_SMSG_FAILURE);
- packet_send();
- packet_write_wait();
- packet_disconnect("PAM initialisation failed.");
+ log("PAM initialisation failed: %.200s", pam_strerror((pam_handle_t *)pamh, pam_retval));
+ eat_packets_and_disconnect(user);
}
-
- fatal_add_cleanup(&pam_cleanup_proc, NULL);
+ fatal_add_cleanup(&pam_cleanup_proc, NULL);
#endif
/* If we are not running as root, the user must have the same uid as the
#ifdef HAVE_LIBPAM
pampasswd = password;
-
- if (PAM_SUCCESS == pam_authenticate((pam_handle_t *)pamh, 0))
+
+ pam_retval = pam_authenticate((pam_handle_t *)pamh, 0);
+ if (pam_retval == PAM_SUCCESS)
{
- log("PAM Password authentication accepted for %.100s.", user);
+ log("PAM Password authentication accepted for \"%.100s\"", user);
authenticated = 1;
break;
} else
{
- log("PAM Password authentication for %.100s failed.", user);
+ log("PAM Password authentication for \"%.100s\" failed: %s",
+ user, pam_strerror((pam_handle_t *)pamh, pam_retval));
break;
}
#else /* HAVE_LIBPAM */
if (pw->pw_uid == 0 && !options.permit_root_login)
{
if (forced_command)
- log("Root login accepted for forced command.", forced_command);
+ log("Root login accepted for forced command.");
else
packet_disconnect("ROOT LOGIN REFUSED FROM %.200s",
get_canonical_hostname());
char **pam_env = pam_getenvlist((pam_handle_t *)pamh);
for(this_var = 0; pam_env && pam_env[this_var]; this_var++)
{
- if(strlen(pam_env[this_var]) < sizeof(var_name))
+ if(strlen(pam_env[this_var]) < (sizeof(var_name) - 1))
if((equal_sign = strstr(pam_env[this_var], "=")) != NULL)
{
memset(var_name, 0, sizeof(var_name));