- (dtucker) [auth1.c auth2.c] If the user successfully authenticates but is
subsequently denied by the PAM auth stack, send the PAM message to the
user via packet_disconnect (Protocol 1) or userauth_banner (Protocol 2).
ok djm@
diff --git a/auth2.c b/auth2.c
index 57e6db4..60e261f 100644
--- a/auth2.c
+++ b/auth2.c
@@ -220,13 +220,14 @@
#ifdef USE_PAM
if (options.use_pam && authenticated) {
if (!PRIVSEP(do_pam_account())) {
- authenticated = 0;
/* if PAM returned a message, send it to the user */
if (buffer_len(&loginmsg) > 0) {
buffer_append(&loginmsg, "\0", 1);
userauth_send_banner(buffer_ptr(&loginmsg));
- buffer_clear(&loginmsg);
+ packet_write_wait();
}
+ fatal("Access denied for user %s by PAM account "
+ "configuration", authctxt->user);
}
}
#endif