Handle PAM_MAXTRIES from modules.
bz#2249: handle the case where PAM returns PAM_MAXTRIES by ceasing to offer
password and keyboard-interative authentication methods. Should prevent
"sshd ignoring max retries" warnings in the log. ok djm@
It probably won't trigger with keyboard-interactive in the default
configuration because the retry counter is stored in module-private
storage which goes away with the sshd PAM process (see bz#688). On the
other hand, those cases probably won't log a warning either.
diff --git a/monitor_wrap.c b/monitor_wrap.c
index 5520049..99dc13b 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -60,6 +60,7 @@
#include "packet.h"
#include "mac.h"
#include "log.h"
+#include "auth-pam.h"
#ifdef TARGET_OS_MAC /* XXX Broken krb5 headers on Mac */
#undef TARGET_OS_MAC
#include "zlib.h"
@@ -362,6 +363,9 @@
mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUTHPASSWORD, &m);
authenticated = buffer_get_int(&m);
+#ifdef USE_PAM
+ sshpam_set_maxtries_reached(buffer_get_int(&m));
+#endif
buffer_free(&m);
@@ -644,6 +648,7 @@
debug3("%s: pam_query returned %d", __func__, ret);
*name = buffer_get_string(&m, NULL);
*info = buffer_get_string(&m, NULL);
+ sshpam_set_maxtries_reached(buffer_get_int(&m));
*num = buffer_get_int(&m);
if (*num > PAM_MAX_NUM_MSG)
fatal("%s: recieved %u PAM messages, expected <= %u",