Bugzilla – Attachment 1130 Details for
Bug 1188
keyboard-interactive should not allow retry after pam_acct_mgmt fails
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
prevent retry of keyboard-interactive if PAM account check fails.
openssh-pam-kbdint-retry.patch (text/plain), 1.81 KB, created by
Darren Tucker
on 2006-05-03 12:45:09 AEST
(
hide
)
Description:
prevent retry of keyboard-interactive if PAM account check fails.
Filename:
MIME Type:
Creator:
Darren Tucker
Created:
2006-05-03 12:45:09 AEST
Size:
1.81 KB
patch
obsolete
>Index: auth-pam.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.c,v >retrieving revision 1.132 >diff -u -p -r1.132 auth-pam.c >--- auth-pam.c 26 Mar 2006 03:22:48 -0000 1.132 >+++ auth-pam.c 3 May 2006 02:38:10 -0000 >@@ -443,8 +443,10 @@ sshpam_thread(void *ctxtp) > goto auth_fail; > > if (compat20) { >- if (!do_pam_account()) >+ if (!do_pam_account()) { >+ sshpam_err = PAM_ACCT_EXPIRED; > goto auth_fail; >+ } > if (sshpam_authctxt->force_pwchange) { > sshpam_err = pam_chauthtok(sshpam_handle, > PAM_CHANGE_EXPIRED_AUTHTOK); >@@ -486,7 +488,10 @@ sshpam_thread(void *ctxtp) > buffer_put_cstring(&buffer, > pam_strerror(sshpam_handle, sshpam_err)); > /* XXX - can't do much about an error here */ >- ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer); >+ if (sshpam_err == PAM_ACCT_EXPIRED) >+ ssh_msg_send(ctxt->pam_csock, PAM_ACCT_EXPIRED, &buffer); >+ else >+ ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer); > buffer_free(&buffer); > pthread_exit(NULL); > >@@ -642,8 +647,11 @@ sshpam_init_ctx(Authctxt *authctxt) > int socks[2]; > > debug3("PAM: %s entering", __func__); >- /* Refuse to start if we don't have PAM enabled */ >- if (!options.use_pam) >+ /* >+ * Refuse to start if we don't have PAM enabled or do_pam_account >+ * has previously failed. >+ */ >+ if (!options.use_pam || sshpam_account_status == 0) > return NULL; > > /* Initialize PAM */ >@@ -720,8 +728,11 @@ sshpam_query(void *ctx, char **name, cha > plen++; > xfree(msg); > break; >+ case PAM_ACCT_EXPIRED: >+ sshpam_account_status = 0; >+ /* FALLTHROUGH */ > case PAM_AUTH_ERR: >- debug3("PAM: PAM_AUTH_ERR"); >+ debug3("PAM: %s", pam_strerror(sshpam_handle, type)); > if (**prompts != NULL && strlen(**prompts) != 0) { > *info = **prompts; > **prompts = NULL;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1130">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
djm
:
ok+
Actions:
View
|
Diff
Attachments on
bug 1188
: 1130