- (dtucker) [auth-pam.c auth.h auth2-none.c auth2.c monitor.c monitor_wrap.c]

   Bug #892: Send messages from failing PAM account modules to the client via
   SSH2_MSG_USERAUTH_BANNER messages.  Note that this will not happen with
   SSH2 kbdint authentication, which need to be dealt with separately.  ok djm@

diff --git a/ChangeLog b/ChangeLog
index 78b873cebd616f93c81e2950da19942a4be8e1ec..afedbfd5b68e3f386e07efdb4cca0576434d6a5f 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -6,6 +6,10 @@
  - (dtucker) [auth-pam.c] Relocate sshpam_store_conv(), no code change.
  - (djm) [auth2-kbdint.c auth2-none.c  auth2-passwd.c auth2-pubkey.c] 
    Make cygwin code more consistent with that which surrounds it
+ - (dtucker) [auth-pam.c auth.h auth2-none.c auth2.c monitor.c monitor_wrap.c]
+   Bug #892: Send messages from failing PAM account modules to the client via
+   SSH2_MSG_USERAUTH_BANNER messages.  Note that this will not happen with
+   SSH2 kbdint authentication, which need to be dealt with separately.  ok djm@
 
 20040830
  - (dtucker) [session.c openbsd-compat/bsd-cygwin_util.{c,h}] Bug #915: only

diff --git a/auth-pam.c b/auth-pam.c
index b9e66625b4d900de0d547484c4f7150659010c4d..3e489c06733a08304429da658fb48fb2d8bcaad0 100644 (file)
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -572,7 +572,7 @@ sshpam_init(Authctxt *authctxt)
        }
        debug("PAM: initializing for \"%s\"", user);
        sshpam_err =
-           pam_start(SSHD_PAM_SERVICE, user, &null_conv, &sshpam_handle);
+           pam_start(SSHD_PAM_SERVICE, user, &store_conv, &sshpam_handle);
        sshpam_authctxt = authctxt;
 
        if (sshpam_err != PAM_SUCCESS) {
@@ -804,11 +804,13 @@ finish_pam(void)
 u_int
 do_pam_account(void)
 {
+       debug("%s: called", __func__);
        if (sshpam_account_status != -1)
                return (sshpam_account_status);
 
        sshpam_err = pam_acct_mgmt(sshpam_handle, 0);
-       debug3("PAM: %s pam_acct_mgmt = %d", __func__, sshpam_err);
+       debug3("PAM: %s pam_acct_mgmt = %d (%s)", __func__, sshpam_err,
+           pam_strerror(sshpam_handle, sshpam_err));
        
        if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) {
                sshpam_account_status = 0;
@@ -838,7 +840,7 @@ void
 do_pam_setcred(int init)
 {
        sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
-           (const void *)&null_conv);
+           (const void *)&store_conv);
        if (sshpam_err != PAM_SUCCESS)
                fatal("PAM: failed to set PAM_CONV: %s",
                    pam_strerror(sshpam_handle, sshpam_err));

diff --git a/auth.h b/auth.h
index 2f094403d631d65c4344e08017bbe048c6f3d862..760337bea36d7362bfe88bbefe4c39e9d8ce1aaf 100644 (file)
--- a/auth.h
+++ b/auth.h
@@ -137,6 +137,7 @@ void        do_authentication2(Authctxt *);
 
 void   auth_log(Authctxt *, int, char *, char *);
 void   userauth_finish(Authctxt *, int, char *);
+void   userauth_send_banner(const char *);
 int    auth_root_allowed(char *);
 
 char   *auth2_read_banner(void);

diff --git a/auth2-none.c b/auth2-none.c
index 787458dadd7fc407f6a95e45eccf2f635377be65..1c30a3203e1f94c528a88590d7141d677a40eeb6 100644 (file)
--- a/auth2-none.c
+++ b/auth2-none.c
@@ -74,6 +74,19 @@ auth2_read_banner(void)
        return (banner);
 }
 
+void
+userauth_send_banner(const char *msg)
+{
+       if (datafellows & SSH_BUG_BANNER)
+               return;
+
+       packet_start(SSH2_MSG_USERAUTH_BANNER);
+       packet_put_cstring(msg);
+       packet_put_cstring("");         /* language, unused */
+       packet_send();
+       debug("%s: sent", __func__);
+}
+
 static void
 userauth_banner(void)
 {
@@ -84,12 +97,8 @@ userauth_banner(void)
 
        if ((banner = PRIVSEP(auth2_read_banner())) == NULL)
                goto done;
+       userauth_send_banner(banner);
 
-       packet_start(SSH2_MSG_USERAUTH_BANNER);
-       packet_put_cstring(banner);
-       packet_put_cstring("");         /* language, unused */
-       packet_send();
-       debug("userauth_banner: sent");
 done:
        if (banner)
                xfree(banner);

diff --git a/auth2.c b/auth2.c
index b98309576518f37dc41495c8b6c40e8d3315ed88..57e6db46b72eae330f4e96aa957edeb884df215e 100644 (file)
--- a/auth2.c
+++ b/auth2.c
@@ -35,6 +35,7 @@ RCSID("$OpenBSD: auth2.c,v 1.107 2004/07/28 09:40:29 markus Exp $");
 #include "dispatch.h"
 #include "pathnames.h"
 #include "monitor_wrap.h"
+#include "buffer.h"
 
 #ifdef GSSAPI
 #include "ssh-gss.h"
@@ -44,6 +45,7 @@ RCSID("$OpenBSD: auth2.c,v 1.107 2004/07/28 09:40:29 markus Exp $");
 extern ServerOptions options;
 extern u_char *session_id2;
 extern u_int session_id2_len;
+extern Buffer loginmsg;
 
 /* methods */
 
@@ -216,8 +218,17 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
                authenticated = 0;
 
 #ifdef USE_PAM
-       if (options.use_pam && authenticated && !PRIVSEP(do_pam_account()))
-               authenticated = 0;
+       if (options.use_pam && authenticated) {
+               if (!PRIVSEP(do_pam_account())) {
+                       authenticated = 0;
+                       /* if PAM returned a message, send it to the user */
+                       if (buffer_len(&loginmsg) > 0) {
+                               buffer_append(&loginmsg, "\0", 1);
+                               userauth_send_banner(buffer_ptr(&loginmsg));
+                               buffer_clear(&loginmsg);
+                       }
+               }
+       }
 #endif
 
 #ifdef _UNICOS

diff --git a/monitor.c b/monitor.c
index b7463400e688f0a3cf230ecd734b3744c8339e8a..00d4a785f63b1b8b3ce39f9cdd82928c6d70b57e 100644 (file)
--- a/monitor.c
+++ b/monitor.c
@@ -810,6 +810,9 @@ mm_answer_pam_account(int sock, Buffer *m)
        ret = do_pam_account();
 
        buffer_put_int(m, ret);
+       buffer_append(&loginmsg, "\0", 1);
+       buffer_put_cstring(m, buffer_ptr(&loginmsg));
+       buffer_clear(&loginmsg);
 
        mm_request_send(sock, MONITOR_ANS_PAM_ACCOUNT, m);
 

diff --git a/monitor_wrap.c b/monitor_wrap.c
index 0d7a0e3bd9286baef5528972824652ebdd5964f8..23857639b869798d7a17756b75c465417670ad27 100644 (file)
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -72,6 +72,7 @@ extern struct monitor *pmonitor;
 extern Buffer input, output;
 extern Buffer loginmsg;
 extern ServerOptions options;
+extern Buffer loginmsg;
 
 int
 mm_is_monitor(void)
@@ -716,6 +717,7 @@ mm_do_pam_account(void)
 {
        Buffer m;
        u_int ret;
+       char *msg;
 
        debug3("%s entering", __func__);
        if (!options.use_pam)
@@ -727,6 +729,9 @@ mm_do_pam_account(void)
        mm_request_receive_expect(pmonitor->m_recvfd,
            MONITOR_ANS_PAM_ACCOUNT, &m);
        ret = buffer_get_int(&m);
+       msg = buffer_get_string(&m, NULL);
+       buffer_append(&loginmsg, msg, strlen(msg));
+       xfree(msg);
 
        buffer_free(&m);