georg.schwarz at freenet.de, ok djm@.
- (dtucker) [defines.h] Find a value for IOV_MAX or use a conservative
default. Patch originally from tim@, ok djm
+ - (dtucker) [auth-pam.c] Bug #1188: pass result of do_pam_account back and
+ do not allow kbdint again after the PAM account check fails. ok djm@
20050506
- (dtucker) OpenBSD CVS Syn
goto auth_fail;
if (compat20) {
- if (!do_pam_account())
+ if (!do_pam_account()) {
+ sshpam_err = PAM_ACCT_EXPIRED;
goto auth_fail;
+ }
if (sshpam_authctxt->force_pwchange) {
sshpam_err = pam_chauthtok(sshpam_handle,
PAM_CHANGE_EXPIRED_AUTHTOK);
buffer_put_cstring(&buffer,
pam_strerror(sshpam_handle, sshpam_err));
/* XXX - can't do much about an error here */
- ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer);
+ if (sshpam_err == PAM_ACCT_EXPIRED)
+ ssh_msg_send(ctxt->pam_csock, PAM_ACCT_EXPIRED, &buffer);
+ else
+ ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer);
buffer_free(&buffer);
pthread_exit(NULL);
int socks[2];
debug3("PAM: %s entering", __func__);
- /* Refuse to start if we don't have PAM enabled */
- if (!options.use_pam)
+ /*
+ * Refuse to start if we don't have PAM enabled or do_pam_account
+ * has previously failed.
+ */
+ if (!options.use_pam || sshpam_account_status == 0)
return NULL;
/* Initialize PAM */
plen++;
xfree(msg);
break;
+ case PAM_ACCT_EXPIRED:
+ sshpam_account_status = 0;
+ /* FALLTHROUGH */
case PAM_AUTH_ERR:
- debug3("PAM: PAM_AUTH_ERR");
+ debug3("PAM: %s", pam_strerror(sshpam_handle, type));
if (**prompts != NULL && strlen(**prompts) != 0) {
*info = **prompts;
**prompts = NULL;