- (dtucker) [auth-pam.c] Relocate sshpam_store_conv(), no code change.
- (djm) [auth2-kbdint.c auth2-none.c auth2-passwd.c auth2-pubkey.c]
Make cygwin code more consistent with that which surrounds it
+ - (dtucker) [auth-pam.c auth.h auth2-none.c auth2.c monitor.c monitor_wrap.c]
+ Bug #892: Send messages from failing PAM account modules to the client via
+ SSH2_MSG_USERAUTH_BANNER messages. Note that this will not happen with
+ SSH2 kbdint authentication, which need to be dealt with separately. ok djm@
20040830
- (dtucker) [session.c openbsd-compat/bsd-cygwin_util.{c,h}] Bug #915: only
}
debug("PAM: initializing for \"%s\"", user);
sshpam_err =
- pam_start(SSHD_PAM_SERVICE, user, &null_conv, &sshpam_handle);
+ pam_start(SSHD_PAM_SERVICE, user, &store_conv, &sshpam_handle);
sshpam_authctxt = authctxt;
if (sshpam_err != PAM_SUCCESS) {
u_int
do_pam_account(void)
{
+ debug("%s: called", __func__);
if (sshpam_account_status != -1)
return (sshpam_account_status);
sshpam_err = pam_acct_mgmt(sshpam_handle, 0);
- debug3("PAM: %s pam_acct_mgmt = %d", __func__, sshpam_err);
+ debug3("PAM: %s pam_acct_mgmt = %d (%s)", __func__, sshpam_err,
+ pam_strerror(sshpam_handle, sshpam_err));
if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) {
sshpam_account_status = 0;
do_pam_setcred(int init)
{
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
- (const void *)&null_conv);
+ (const void *)&store_conv);
if (sshpam_err != PAM_SUCCESS)
fatal("PAM: failed to set PAM_CONV: %s",
pam_strerror(sshpam_handle, sshpam_err));
void auth_log(Authctxt *, int, char *, char *);
void userauth_finish(Authctxt *, int, char *);
+void userauth_send_banner(const char *);
int auth_root_allowed(char *);
char *auth2_read_banner(void);
return (banner);
}
+void
+userauth_send_banner(const char *msg)
+{
+ if (datafellows & SSH_BUG_BANNER)
+ return;
+
+ packet_start(SSH2_MSG_USERAUTH_BANNER);
+ packet_put_cstring(msg);
+ packet_put_cstring(""); /* language, unused */
+ packet_send();
+ debug("%s: sent", __func__);
+}
+
static void
userauth_banner(void)
{
if ((banner = PRIVSEP(auth2_read_banner())) == NULL)
goto done;
+ userauth_send_banner(banner);
- packet_start(SSH2_MSG_USERAUTH_BANNER);
- packet_put_cstring(banner);
- packet_put_cstring(""); /* language, unused */
- packet_send();
- debug("userauth_banner: sent");
done:
if (banner)
xfree(banner);
#include "dispatch.h"
#include "pathnames.h"
#include "monitor_wrap.h"
+#include "buffer.h"
#ifdef GSSAPI
#include "ssh-gss.h"
extern ServerOptions options;
extern u_char *session_id2;
extern u_int session_id2_len;
+extern Buffer loginmsg;
/* methods */
authenticated = 0;
#ifdef USE_PAM
- if (options.use_pam && authenticated && !PRIVSEP(do_pam_account()))
- authenticated = 0;
+ if (options.use_pam && authenticated) {
+ if (!PRIVSEP(do_pam_account())) {
+ authenticated = 0;
+ /* if PAM returned a message, send it to the user */
+ if (buffer_len(&loginmsg) > 0) {
+ buffer_append(&loginmsg, "\0", 1);
+ userauth_send_banner(buffer_ptr(&loginmsg));
+ buffer_clear(&loginmsg);
+ }
+ }
+ }
#endif
#ifdef _UNICOS
ret = do_pam_account();
buffer_put_int(m, ret);
+ buffer_append(&loginmsg, "\0", 1);
+ buffer_put_cstring(m, buffer_ptr(&loginmsg));
+ buffer_clear(&loginmsg);
mm_request_send(sock, MONITOR_ANS_PAM_ACCOUNT, m);
extern Buffer input, output;
extern Buffer loginmsg;
extern ServerOptions options;
+extern Buffer loginmsg;
int
mm_is_monitor(void)
{
Buffer m;
u_int ret;
+ char *msg;
debug3("%s entering", __func__);
if (!options.use_pam)
mm_request_receive_expect(pmonitor->m_recvfd,
MONITOR_ANS_PAM_ACCOUNT, &m);
ret = buffer_get_int(&m);
+ msg = buffer_get_string(&m, NULL);
+ buffer_append(&loginmsg, msg, strlen(msg));
+ xfree(msg);
buffer_free(&m);