- (djm) Don't accept PAM_PROMPT_ECHO_ON messages during initial auth
diff --git a/auth-pam.c b/auth-pam.c
index 57a558d..f4cbd46 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -29,7 +29,7 @@
#include "xmalloc.h"
#include "servconf.h"
-RCSID("$Id: auth-pam.c,v 1.14 2000/10/07 11:16:55 stevesk Exp $");
+RCSID("$Id: auth-pam.c,v 1.15 2000/10/14 00:16:12 djm Exp $");
#define NEW_AUTHTOK_MSG \
"Warning: Your password has expired, please change it now"
@@ -83,11 +83,16 @@
for (count = 0; count < num_msg; count++) {
switch ((*msg)[count].msg_style) {
case PAM_PROMPT_ECHO_ON:
- fputs((*msg)[count].msg, stderr);
- fgets(buf, sizeof(buf), stdin);
- reply[count].resp = xstrdup(buf);
- reply[count].resp_retcode = PAM_SUCCESS;
- break;
+ if (pamstate == INITIAL_LOGIN) {
+ free(reply);
+ return PAM_CONV_ERR;
+ } else {
+ fputs((*msg)[count].msg, stderr);
+ fgets(buf, sizeof(buf), stdin);
+ reply[count].resp = xstrdup(buf);
+ reply[count].resp_retcode = PAM_SUCCESS;
+ break;
+ }
case PAM_PROMPT_ECHO_OFF:
if (pamstate == INITIAL_LOGIN) {
if (pampasswd == NULL) {
@@ -95,8 +100,10 @@
return PAM_CONV_ERR;
}
reply[count].resp = xstrdup(pampasswd);
- } else
- reply[count].resp = xstrdup(read_passphrase((*msg)[count].msg, 1));
+ } else {
+ reply[count].resp =
+ xstrdup(read_passphrase((*msg)[count].msg, 1));
+ }
reply[count].resp_retcode = PAM_SUCCESS;
break;
case PAM_ERROR_MSG: