diff options
author | dtucker <dtucker> | 2004-09-11 13:07:03 +0000 |
---|---|---|
committer | dtucker <dtucker> | 2004-09-11 13:07:03 +0000 |
commit | 9d83f23f2fcbfea1ce09025a87ef2528c979146b (patch) | |
tree | 7044c36b48e013d21fe6e98b0caf5cc69b5ac7b2 | |
parent | df28a1ce6463e9e4d83a1e15f92558fec2a95a61 (diff) | |
download | openssh-9d83f23f2fcbfea1ce09025a87ef2528c979146b.tar.gz |
- (dtucker) [auth-pam.c auth.h auth2-none.c auth2.c monitor.c monitor_wrap.c]
Bug #892: Send messages from failing PAM account modules to the client via
SSH2_MSG_USERAUTH_BANNER messages. Note that this will not happen with
SSH2 kbdint authentication, which need to be dealt with separately. ok djm@
-rw-r--r-- | ChangeLog | 6 | ||||
-rw-r--r-- | auth-pam.c | 10 | ||||
-rw-r--r-- | auth.h | 1 | ||||
-rw-r--r-- | auth2-none.c | 19 | ||||
-rw-r--r-- | auth2.c | 15 | ||||
-rw-r--r-- | monitor.c | 3 | ||||
-rw-r--r-- | monitor_wrap.c | 5 |
7 files changed, 47 insertions, 12 deletions
@@ -6,6 +6,10 @@ - (dtucker) [auth-pam.c] Relocate sshpam_store_conv(), no code change. - (djm) [auth2-kbdint.c auth2-none.c auth2-passwd.c auth2-pubkey.c] Make cygwin code more consistent with that which surrounds it + - (dtucker) [auth-pam.c auth.h auth2-none.c auth2.c monitor.c monitor_wrap.c] + Bug #892: Send messages from failing PAM account modules to the client via + SSH2_MSG_USERAUTH_BANNER messages. Note that this will not happen with + SSH2 kbdint authentication, which need to be dealt with separately. ok djm@ 20040830 - (dtucker) [session.c openbsd-compat/bsd-cygwin_util.{c,h}] Bug #915: only @@ -1725,4 +1729,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3543 2004/09/11 12:42:09 djm Exp $ +$Id: ChangeLog,v 1.3544 2004/09/11 13:07:03 dtucker Exp $ @@ -47,7 +47,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.116 2004/09/11 12:28:02 dtucker Exp $"); +RCSID("$Id: auth-pam.c,v 1.117 2004/09/11 13:07:03 dtucker Exp $"); #ifdef USE_PAM #if defined(HAVE_SECURITY_PAM_APPL_H) @@ -572,7 +572,7 @@ sshpam_init(Authctxt *authctxt) } debug("PAM: initializing for \"%s\"", user); sshpam_err = - pam_start(SSHD_PAM_SERVICE, user, &null_conv, &sshpam_handle); + pam_start(SSHD_PAM_SERVICE, user, &store_conv, &sshpam_handle); sshpam_authctxt = authctxt; if (sshpam_err != PAM_SUCCESS) { @@ -804,11 +804,13 @@ finish_pam(void) u_int do_pam_account(void) { + debug("%s: called", __func__); if (sshpam_account_status != -1) return (sshpam_account_status); sshpam_err = pam_acct_mgmt(sshpam_handle, 0); - debug3("PAM: %s pam_acct_mgmt = %d", __func__, sshpam_err); + debug3("PAM: %s pam_acct_mgmt = %d (%s)", __func__, sshpam_err, + pam_strerror(sshpam_handle, sshpam_err)); if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) { sshpam_account_status = 0; @@ -838,7 +840,7 @@ void do_pam_setcred(int init) { sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, - (const void *)&null_conv); + (const void *)&store_conv); if (sshpam_err != PAM_SUCCESS) fatal("PAM: failed to set PAM_CONV: %s", pam_strerror(sshpam_handle, sshpam_err)); @@ -137,6 +137,7 @@ void do_authentication2(Authctxt *); void auth_log(Authctxt *, int, char *, char *); void userauth_finish(Authctxt *, int, char *); +void userauth_send_banner(const char *); int auth_root_allowed(char *); char *auth2_read_banner(void); diff --git a/auth2-none.c b/auth2-none.c index 787458da..1c30a320 100644 --- a/auth2-none.c +++ b/auth2-none.c @@ -74,6 +74,19 @@ auth2_read_banner(void) return (banner); } +void +userauth_send_banner(const char *msg) +{ + if (datafellows & SSH_BUG_BANNER) + return; + + packet_start(SSH2_MSG_USERAUTH_BANNER); + packet_put_cstring(msg); + packet_put_cstring(""); /* language, unused */ + packet_send(); + debug("%s: sent", __func__); +} + static void userauth_banner(void) { @@ -84,12 +97,8 @@ userauth_banner(void) if ((banner = PRIVSEP(auth2_read_banner())) == NULL) goto done; + userauth_send_banner(banner); - packet_start(SSH2_MSG_USERAUTH_BANNER); - packet_put_cstring(banner); - packet_put_cstring(""); /* language, unused */ - packet_send(); - debug("userauth_banner: sent"); done: if (banner) xfree(banner); @@ -35,6 +35,7 @@ RCSID("$OpenBSD: auth2.c,v 1.107 2004/07/28 09:40:29 markus Exp $"); #include "dispatch.h" #include "pathnames.h" #include "monitor_wrap.h" +#include "buffer.h" #ifdef GSSAPI #include "ssh-gss.h" @@ -44,6 +45,7 @@ RCSID("$OpenBSD: auth2.c,v 1.107 2004/07/28 09:40:29 markus Exp $"); extern ServerOptions options; extern u_char *session_id2; extern u_int session_id2_len; +extern Buffer loginmsg; /* methods */ @@ -216,8 +218,17 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) authenticated = 0; #ifdef USE_PAM - if (options.use_pam && authenticated && !PRIVSEP(do_pam_account())) - authenticated = 0; + if (options.use_pam && authenticated) { + if (!PRIVSEP(do_pam_account())) { + authenticated = 0; + /* if PAM returned a message, send it to the user */ + if (buffer_len(&loginmsg) > 0) { + buffer_append(&loginmsg, "\0", 1); + userauth_send_banner(buffer_ptr(&loginmsg)); + buffer_clear(&loginmsg); + } + } + } #endif #ifdef _UNICOS @@ -810,6 +810,9 @@ mm_answer_pam_account(int sock, Buffer *m) ret = do_pam_account(); buffer_put_int(m, ret); + buffer_append(&loginmsg, "\0", 1); + buffer_put_cstring(m, buffer_ptr(&loginmsg)); + buffer_clear(&loginmsg); mm_request_send(sock, MONITOR_ANS_PAM_ACCOUNT, m); diff --git a/monitor_wrap.c b/monitor_wrap.c index 0d7a0e3b..23857639 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -72,6 +72,7 @@ extern struct monitor *pmonitor; extern Buffer input, output; extern Buffer loginmsg; extern ServerOptions options; +extern Buffer loginmsg; int mm_is_monitor(void) @@ -716,6 +717,7 @@ mm_do_pam_account(void) { Buffer m; u_int ret; + char *msg; debug3("%s entering", __func__); if (!options.use_pam) @@ -727,6 +729,9 @@ mm_do_pam_account(void) mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_ACCOUNT, &m); ret = buffer_get_int(&m); + msg = buffer_get_string(&m, NULL); + buffer_append(&loginmsg, msg, strlen(msg)); + xfree(msg); buffer_free(&m); |