- (dtucker) [auth1.c auth2.c] If the user successfully authenticates but is

   subsequently denied by the PAM auth stack, send the PAM message to the
   user via packet_disconnect (Protocol 1) or userauth_banner (Protocol 2).
   ok djm@

diff --git a/ChangeLog b/ChangeLog
index f93b3628239276ce1789a52e7911a775dcec454e..10ad58f7a853746d81966e83938341579640d275 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -9,6 +9,10 @@
      - add -O
      - sync -S w/ manpage
      - remove -h
+ - (dtucker) [auth1.c auth2.c] If the user successfully authenticates but is
+   subsequently denied by the PAM auth stack, send the PAM message to the
+   user via packet_disconnect (Protocol 1) or userauth_banner (Protocol 2).
+   ok djm@
 
 20041107
  - (dtucker) OpenBSD CVS Sync

diff --git a/auth1.c b/auth1.c
index 3f93b9869f1e2cab3246119df4370a4c69000d26..2a9d18b9a23982b5fefc5082eefddd3ffb45d5a2 100644 (file)
--- a/auth1.c
+++ b/auth1.c
@@ -25,9 +25,11 @@ RCSID("$OpenBSD: auth1.c,v 1.59 2004/07/28 09:40:29 markus Exp $");
 #include "session.h"
 #include "uidswap.h"
 #include "monitor_wrap.h"
+#include "buffer.h"
 
 /* import */
 extern ServerOptions options;
+extern Buffer loginmsg;
 
 /*
  * convert ssh auth msg type into description
@@ -251,8 +253,23 @@ do_authloop(Authctxt *authctxt)
 
 #ifdef USE_PAM
                if (options.use_pam && authenticated &&
-                   !PRIVSEP(do_pam_account()))
-                       authenticated = 0;
+                   !PRIVSEP(do_pam_account())) {
+                       char *msg;
+                       size_t len;
+
+                       error("Access denied for user %s by PAM account "
+                          "configuration", authctxt->user);
+                       len = buffer_len(&loginmsg);
+                       buffer_append(&loginmsg, "\0", 1);
+                       msg = buffer_ptr(&loginmsg);
+                       /* strip trailing newlines */
+                       if (len > 0)
+                               while (len > 0 && msg[--len] == '\n')
+                                       msg[len] = '\0';
+                       else
+                               msg = "Access denied.";
+                       packet_disconnect(msg);
+               }
 #endif
 
                /* Log before sending the reply */

diff --git a/auth2.c b/auth2.c
index 57e6db46b72eae330f4e96aa957edeb884df215e..60e261f7f452caa55fe3a2086ff91e5337a92607 100644 (file)
--- a/auth2.c
+++ b/auth2.c
@@ -220,13 +220,14 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
 #ifdef USE_PAM
        if (options.use_pam && authenticated) {
                if (!PRIVSEP(do_pam_account())) {
-                       authenticated = 0;
                        /* if PAM returned a message, send it to the user */
                        if (buffer_len(&loginmsg) > 0) {
                                buffer_append(&loginmsg, "\0", 1);
                                userauth_send_banner(buffer_ptr(&loginmsg));
-                               buffer_clear(&loginmsg);
+                               packet_write_wait();
                        }
+                       fatal("Access denied for user %s by PAM account "
+                          "configuration", authctxt->user);
                }
        }
 #endif