- (dtucker) [auth-pam.c auth-pam.h session.c] Bug #890: Send output from
failing PAM session modules to user then exit, similar to the way
/etc/nologin is handled. ok djm@
diff --git a/ChangeLog b/ChangeLog
index dffdd37..2fed3fb 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,8 @@
20040911
- (djm) [ssh-agent.c] unifdef some cygwin code; ok dtucker@
+ - (dtucker) [auth-pam.c auth-pam.h session.c] Bug #890: Send output from
+ failing PAM session modules to user then exit, similar to the way
+ /etc/nologin is handled. ok djm@
20040830
- (dtucker) [session.c openbsd-compat/bsd-cygwin_util.{c,h}] Bug #915: only
@@ -1719,4 +1722,4 @@
- (djm) Trim deprecated options from INSTALL. Mention UsePAM
- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
-$Id: ChangeLog,v 1.3540 2004/09/11 05:18:05 djm Exp $
+$Id: ChangeLog,v 1.3541 2004/09/11 12:17:26 dtucker Exp $
diff --git a/auth-pam.c b/auth-pam.c
index b93241f..27b9bab 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -47,7 +47,7 @@
/* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
#include "includes.h"
-RCSID("$Id: auth-pam.c,v 1.114 2004/08/16 13:12:06 dtucker Exp $");
+RCSID("$Id: auth-pam.c,v 1.115 2004/09/11 12:17:26 dtucker Exp $");
#ifdef USE_PAM
#if defined(HAVE_SECURITY_PAM_APPL_H)
@@ -949,10 +949,21 @@
fatal("PAM: failed to set PAM_CONV: %s",
pam_strerror(sshpam_handle, sshpam_err));
sshpam_err = pam_open_session(sshpam_handle, 0);
- if (sshpam_err != PAM_SUCCESS)
- fatal("PAM: pam_open_session(): %s",
+ if (sshpam_err == PAM_SUCCESS)
+ sshpam_session_open = 1;
+ else {
+ sshpam_session_open = 0;
+ disable_forwarding();
+ error("PAM: pam_open_session(): %s",
pam_strerror(sshpam_handle, sshpam_err));
- sshpam_session_open = 1;
+ }
+
+}
+
+int
+is_pam_session_open(void)
+{
+ return sshpam_session_open;
}
/*
diff --git a/auth-pam.h b/auth-pam.h
index f479413..a1a2b52 100644
--- a/auth-pam.h
+++ b/auth-pam.h
@@ -1,4 +1,4 @@
-/* $Id: auth-pam.h,v 1.26 2004/05/30 10:43:59 dtucker Exp $ */
+/* $Id: auth-pam.h,v 1.27 2004/09/11 12:17:26 dtucker Exp $ */
/*
* Copyright (c) 2000 Damien Miller. All rights reserved.
@@ -45,5 +45,6 @@
void sshpam_thread_cleanup(void);
void sshpam_cleanup(void);
int sshpam_auth_passwd(Authctxt *, const char *);
+int is_pam_session_open(void);
#endif /* USE_PAM */
diff --git a/session.c b/session.c
index 89e1ec8..7a70b82 100644
--- a/session.c
+++ b/session.c
@@ -1439,6 +1439,13 @@
#endif /* HAVE_OSF_SIA */
}
+#ifdef USE_PAM
+ if (options.use_pam && !is_pam_session_open()) {
+ display_loginmsg();
+ exit(254);
+ }
+#endif
+
/*
* Get the shell from the password data. An empty shell field is
* legal, and means /bin/sh.