- (dtucker) [auth-pam.c auth.h auth2-none.c auth2.c monitor.c monitor_wrap.c]
Bug #892: Send messages from failing PAM account modules to the client via
SSH2_MSG_USERAUTH_BANNER messages. Note that this will not happen with
SSH2 kbdint authentication, which need to be dealt with separately. ok djm@
diff --git a/auth2.c b/auth2.c
index b983095..57e6db4 100644
--- a/auth2.c
+++ b/auth2.c
@@ -35,6 +35,7 @@
#include "dispatch.h"
#include "pathnames.h"
#include "monitor_wrap.h"
+#include "buffer.h"
#ifdef GSSAPI
#include "ssh-gss.h"
@@ -44,6 +45,7 @@
extern ServerOptions options;
extern u_char *session_id2;
extern u_int session_id2_len;
+extern Buffer loginmsg;
/* methods */
@@ -216,8 +218,17 @@
authenticated = 0;
#ifdef USE_PAM
- if (options.use_pam && authenticated && !PRIVSEP(do_pam_account()))
- authenticated = 0;
+ if (options.use_pam && authenticated) {
+ if (!PRIVSEP(do_pam_account())) {
+ authenticated = 0;
+ /* if PAM returned a message, send it to the user */
+ if (buffer_len(&loginmsg) > 0) {
+ buffer_append(&loginmsg, "\0", 1);
+ userauth_send_banner(buffer_ptr(&loginmsg));
+ buffer_clear(&loginmsg);
+ }
+ }
+ }
#endif
#ifdef _UNICOS