- (tim) [configure.ac] Add AC_REVISION. Add sys/time.h to lastlog.h test

[openssh.git] / auth2.c

diff --git a/auth2.c b/auth2.c
index a8c8bd283c2669fbb7e71d341382c479285fc7d3..d255242edb0716b18e91e49769bf6d8fd7c5c276 100644 (file)
--- a/auth2.c
+++ b/auth2.c
@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.106 2004/07/21 10:33:31 djm Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.107 2004/07/28 09:40:29 markus Exp $");
 
 #include "ssh2.h"
 #include "xmalloc.h"
@@ -35,6 +35,7 @@ RCSID("$OpenBSD: auth2.c,v 1.106 2004/07/21 10:33:31 djm Exp $");
 #include "dispatch.h"
 #include "pathnames.h"
 #include "monitor_wrap.h"
+#include "buffer.h"
 
 #ifdef GSSAPI
 #include "ssh-gss.h"
@@ -44,6 +45,7 @@ RCSID("$OpenBSD: auth2.c,v 1.106 2004/07/21 10:33:31 djm Exp $");
 extern ServerOptions options;
 extern u_char *session_id2;
 extern u_int session_id2_len;
+extern Buffer loginmsg;
 
 /* methods */
 
@@ -154,18 +156,17 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
                if (authctxt->pw && strcmp(service, "ssh-connection")==0) {
                        authctxt->valid = 1;
                        debug2("input_userauth_request: setting up authctxt for %s", user);
-#ifdef USE_PAM
-                       if (options.use_pam)
-                               PRIVSEP(start_pam(authctxt));
-#endif
                } else {
-                       logit("input_userauth_request: illegal user %s", user);
+                       logit("input_userauth_request: invalid user %s", user);
                        authctxt->pw = fakepw();
-#ifdef USE_PAM
-                       if (options.use_pam)
-                               PRIVSEP(start_pam(authctxt));
+#ifdef SSH_AUDIT_EVENTS
+                       PRIVSEP(audit_event(SSH_INVALID_USER));
 #endif
                }
+#ifdef USE_PAM
+               if (options.use_pam)
+                       PRIVSEP(start_pam(authctxt));
+#endif
                setproctitle("%s%s", authctxt->valid ? user : "unknown",
                    use_privsep ? " [net]" : "");
                authctxt->service = xstrdup(service);
@@ -212,12 +213,26 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
 
        /* Special handling for root */
        if (authenticated && authctxt->pw->pw_uid == 0 &&
-           !auth_root_allowed(method))
+           !auth_root_allowed(method)) {
                authenticated = 0;
+#ifdef SSH_AUDIT_EVENTS
+               PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED));
+#endif
+       }
 
 #ifdef USE_PAM
-       if (options.use_pam && authenticated && !PRIVSEP(do_pam_account()))
-               authenticated = 0;
+       if (options.use_pam && authenticated) {
+               if (!PRIVSEP(do_pam_account())) {
+                       /* if PAM returned a message, send it to the user */
+                       if (buffer_len(&loginmsg) > 0) {
+                               buffer_append(&loginmsg, "\0", 1);
+                               userauth_send_banner(buffer_ptr(&loginmsg));
+                               packet_write_wait();
+                       }
+                       fatal("Access denied for user %s by PAM account "
+                           "configuration", authctxt->user);
+               }
+       }
 #endif
 
 #ifdef _UNICOS
@@ -243,8 +258,12 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
                /* now we can break out */
                authctxt->success = 1;
        } else {
-               if (authctxt->failures++ > options.max_authtries)
+               if (authctxt->failures++ > options.max_authtries) {
+#ifdef SSH_AUDIT_EVENTS
+                       PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
+#endif
                        packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
+               }
                methods = authmethods_get();
                packet_start(SSH2_MSG_USERAUTH_FAILURE);
                packet_put_cstring(methods);