- add -O
- sync -S w/ manpage
- remove -h
+ - (dtucker) [auth1.c auth2.c] If the user successfully authenticates but is
+ subsequently denied by the PAM auth stack, send the PAM message to the
+ user via packet_disconnect (Protocol 1) or userauth_banner (Protocol 2).
+ ok djm@
20041107
- (dtucker) OpenBSD CVS Sync
#include "session.h"
#include "uidswap.h"
#include "monitor_wrap.h"
+#include "buffer.h"
/* import */
extern ServerOptions options;
+extern Buffer loginmsg;
/*
* convert ssh auth msg type into description
#ifdef USE_PAM
if (options.use_pam && authenticated &&
- !PRIVSEP(do_pam_account()))
- authenticated = 0;
+ !PRIVSEP(do_pam_account())) {
+ char *msg;
+ size_t len;
+
+ error("Access denied for user %s by PAM account "
+ "configuration", authctxt->user);
+ len = buffer_len(&loginmsg);
+ buffer_append(&loginmsg, "\0", 1);
+ msg = buffer_ptr(&loginmsg);
+ /* strip trailing newlines */
+ if (len > 0)
+ while (len > 0 && msg[--len] == '\n')
+ msg[len] = '\0';
+ else
+ msg = "Access denied.";
+ packet_disconnect(msg);
+ }
#endif
/* Log before sending the reply */
#ifdef USE_PAM
if (options.use_pam && authenticated) {
if (!PRIVSEP(do_pam_account())) {
- authenticated = 0;
/* if PAM returned a message, send it to the user */
if (buffer_len(&loginmsg) > 0) {
buffer_append(&loginmsg, "\0", 1);
userauth_send_banner(buffer_ptr(&loginmsg));
- buffer_clear(&loginmsg);
+ packet_write_wait();
}
+ fatal("Access denied for user %s by PAM account "
+ "configuration", authctxt->user);
}
}
#endif