- (djm) Add new UsePAM configuration directive to allow runtime control

[openssh.git] / auth1.c

diff --git a/auth1.c b/auth1.c
index c273f2fb6b5f56d0b180a10c049989c46b0aaa9a..6cb0b04b2ff9203d6720a5a3d1f7b8bf63eacef5 100644 (file)
--- a/auth1.c
+++ b/auth1.c
@@ -10,7 +10,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth1.c,v 1.47 2003/02/06 21:22:42 markus Exp $");
+RCSID("$OpenBSD: auth1.c,v 1.48 2003/04/08 20:21:28 itojun Exp $");
 
 #include "xmalloc.h"
 #include "rsa.h"
@@ -73,7 +73,7 @@ do_authloop(Authctxt *authctxt)
        char info[1024];
        u_int dlen;
        u_int ulen;
-       int type = 0;
+       int prev, type = 0;
        struct passwd *pw = authctxt->pw;
 
        debug("Attempting authentication for %s%.100s.",
@@ -103,8 +103,20 @@ do_authloop(Authctxt *authctxt)
                info[0] = '\0';
 
                /* Get a packet from the client. */
+               prev = type;
                type = packet_read();
 
+               /*
+                * If we started challenge-response authentication but the
+                * next packet is not a response to our challenge, release
+                * the resources allocated by get_challenge() (which would
+                * normally have been released by verify_response() had we
+                * received such a response)
+                */
+               if (prev == SSH_CMSG_AUTH_TIS &&
+                   type != SSH_CMSG_AUTH_TIS_RESPONSE)
+                       abandon_challenge_response(authctxt);
+
                /* Process the packet. */
                switch (type) {
 
@@ -297,7 +309,7 @@ do_authloop(Authctxt *authctxt)
                         * Any unknown messages will be ignored (and failure
                         * returned) during authentication.
                         */
-                       log("Unknown message during authentication: type %d", type);
+                       logit("Unknown message during authentication: type %d", type);
                        break;
                }
 #ifdef BSD_AUTH
@@ -311,8 +323,6 @@ do_authloop(Authctxt *authctxt)
                            authctxt->user);
 
 #ifdef _UNICOS
-               if (type == SSH_CMSG_AUTH_PASSWORD && !authenticated)
-                       cray_login_failure(authctxt->user, IA_UDBERR);
                if (authenticated && cray_access_denied(authctxt->user)) {
                        authenticated = 0;
                        fatal("Access denied for user %s.",authctxt->user);
@@ -332,11 +342,6 @@ do_authloop(Authctxt *authctxt)
                    !auth_root_allowed(get_authname(type)))
                        authenticated = 0;
 #endif
-#ifdef USE_PAM
-               if (!use_privsep && authenticated && 
-                   !do_pam_account(pw->pw_name, client_user))
-                       authenticated = 0;
-#endif
 
                /* Log before sending the reply */
                auth_log(authctxt, authenticated, get_authname(type), info);
@@ -349,9 +354,8 @@ do_authloop(Authctxt *authctxt)
                if (authenticated)
                        return;
 
-               if (authctxt->failures++ > AUTH_FAIL_MAX) {
+               if (authctxt->failures++ > AUTH_FAIL_MAX)
                        packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
-               }
 
                packet_start(SSH_SMSG_FAILURE);
                packet_send();
@@ -404,7 +408,8 @@ do_authentication(void)
            use_privsep ? " [net]" : "");
 
 #ifdef USE_PAM
-       PRIVSEP(start_pam(authctxt->pw == NULL ? "NOUSER" : user));
+       if (options.use_pam)
+               PRIVSEP(start_pam(user));
 #endif
 
        /*