- (dtucker) [auth1.c auth2.c] If the user successfully authenticates but is
subsequently denied by the PAM auth stack, send the PAM message to the
user via packet_disconnect (Protocol 1) or userauth_banner (Protocol 2).
ok djm@
diff --git a/auth1.c b/auth1.c
index 3f93b98..2a9d18b 100644
--- a/auth1.c
+++ b/auth1.c
@@ -25,9 +25,11 @@
#include "session.h"
#include "uidswap.h"
#include "monitor_wrap.h"
+#include "buffer.h"
/* import */
extern ServerOptions options;
+extern Buffer loginmsg;
/*
* convert ssh auth msg type into description
@@ -251,8 +253,23 @@
#ifdef USE_PAM
if (options.use_pam && authenticated &&
- !PRIVSEP(do_pam_account()))
- authenticated = 0;
+ !PRIVSEP(do_pam_account())) {
+ char *msg;
+ size_t len;
+
+ error("Access denied for user %s by PAM account "
+ "configuration", authctxt->user);
+ len = buffer_len(&loginmsg);
+ buffer_append(&loginmsg, "\0", 1);
+ msg = buffer_ptr(&loginmsg);
+ /* strip trailing newlines */
+ if (len > 0)
+ while (len > 0 && msg[--len] == '\n')
+ msg[len] = '\0';
+ else
+ msg = "Access denied.";
+ packet_disconnect(msg);
+ }
#endif
/* Log before sending the reply */