Attachment #2832 for bug #2249

View | Details | Raw Unified | Return to bug 2249
Collapse All | Expand All

Lines 229-234 static int sshpam_authenticated = 0; Link Here

(-)a/auth-pam.c (-1 / +31 lines)
229	static int sshpam_session_open = 0;	229	static int sshpam_session_open = 0;
230	static int sshpam_cred_established = 0;	230	static int sshpam_cred_established = 0;
231	static int sshpam_account_status = -1;	231	static int sshpam_account_status = -1;
		232	static int sshpam_maxtries_reached = 0;
232	static char **sshpam_env = NULL;	233	static char **sshpam_env = NULL;
233	static Authctxt *sshpam_authctxt = NULL;	234	static Authctxt *sshpam_authctxt = NULL;
234	static const char *sshpam_password = NULL;	235	static const char *sshpam_password = NULL;
Lines 468-473 sshpam_thread(void *ctxtp) Link Here
468	if (sshpam_err != PAM_SUCCESS)	469	if (sshpam_err != PAM_SUCCESS)
469	goto auth_fail;	470	goto auth_fail;
470	sshpam_err = pam_authenticate(sshpam_handle, flags);	471	sshpam_err = pam_authenticate(sshpam_handle, flags);
		472	if (sshpam_err == PAM_MAXTRIES)
		473	sshpam_set_maxtries_reached(1);
471	if (sshpam_err != PAM_SUCCESS)	474	if (sshpam_err != PAM_SUCCESS)
472	goto auth_fail;	475	goto auth_fail;
473		476
Lines 519-524 sshpam_thread(void *ctxtp) Link Here
519	/* XXX - can't do much about an error here */	522	/* XXX - can't do much about an error here */
520	if (sshpam_err == PAM_ACCT_EXPIRED)	523	if (sshpam_err == PAM_ACCT_EXPIRED)
521	ssh_msg_send(ctxt->pam_csock, PAM_ACCT_EXPIRED, &buffer);	524	ssh_msg_send(ctxt->pam_csock, PAM_ACCT_EXPIRED, &buffer);
		525	else if (sshpam_maxtries_reached)
		526	ssh_msg_send(ctxt->pam_csock, PAM_MAXTRIES, &buffer);
522	else	527	else
523	ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer);	528	ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer);
524	buffer_free(&buffer);	529	buffer_free(&buffer);
Lines 759-765 sshpam_query(void ctx, char name, char *info, Link Here
759	free(msg);	764	free(msg);
760	break;	765	break;
761	case PAM_ACCT_EXPIRED:	766	case PAM_ACCT_EXPIRED:
762	sshpam_account_status = 0;	767	case PAM_MAXTRIES:
		768	if (type == PAM_ACCT_EXPIRED)
		769	sshpam_account_status = 0;
		770	if (type == PAM_MAXTRIES)
		771	sshpam_set_maxtries_reached(1);
763	/* FALLTHROUGH */	772	/* FALLTHROUGH */
764	case PAM_AUTH_ERR:	773	case PAM_AUTH_ERR:
765	debug3("PAM: %s", pam_strerror(sshpam_handle, type));	774	debug3("PAM: %s", pam_strerror(sshpam_handle, type));
Lines 1208-1213 sshpam_auth_passwd(Authctxt authctxt, const char password) Link Here
1208		1217
1209	sshpam_err = pam_authenticate(sshpam_handle, flags);	1218	sshpam_err = pam_authenticate(sshpam_handle, flags);
1210	sshpam_password = NULL;	1219	sshpam_password = NULL;
		1220	if (sshpam_err == PAM_MAXTRIES) {
		1221	debug3("PAM: %s maxtries reached", __func__);
		1222	sshpam_set_maxtries_reached(1);
		1223	}
1211	if (sshpam_err == PAM_SUCCESS && authctxt->valid) {	1224	if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
1212	debug("PAM: password authentication accepted for %.100s",	1225	debug("PAM: password authentication accepted for %.100s",
1213	authctxt->user);	1226	authctxt->user);
Lines 1219-1222 sshpam_auth_passwd(Authctxt authctxt, const char password) Link Here
1219	return 0;	1232	return 0;
1220	}	1233	}
1221	}	1234	}
		1235
		1236	int
		1237	sshpam_get_maxtries_reached(void)
		1238	{
		1239	return sshpam_maxtries_reached;
		1240	}
		1241
		1242	void
		1243	sshpam_set_maxtries_reached(int reached)
		1244	{
		1245	if (reached == 0 \|\| sshpam_maxtries_reached)
		1246	return;
		1247	sshpam_maxtries_reached = 1;
		1248	options.password_authentication = 0;
		1249	options.kbd_interactive_authentication = 0;
		1250	options.challenge_response_authentication = 0;
		1251	}
1222	#endif /* USE_PAM */	1252	#endif /* USE_PAM */

Lines 45-50 void free_pam_environment(char **); Link Here

(-)a/auth-pam.h (+2 lines)
45	void sshpam_thread_cleanup(void);	45	void sshpam_thread_cleanup(void);
46	void sshpam_cleanup(void);	46	void sshpam_cleanup(void);
47	int sshpam_auth_passwd(Authctxt , const char );	47	int sshpam_auth_passwd(Authctxt , const char );
		48	int sshpam_get_maxtries_reached(void);
		49	void sshpam_set_maxtries_reached(int);
48	int is_pam_session_open(void);	50	int is_pam_session_open(void);
49		51
50	#endif /* USE_PAM */	52	#endif /* USE_PAM */

Lines 75-80 Link Here

(-)a/monitor.c (+5 lines)
75	#include "cipher.h"	75	#include "cipher.h"
76	#include "kex.h"	76	#include "kex.h"
77	#include "dh.h"	77	#include "dh.h"
		78	#include "auth-pam.h"
78	#ifdef TARGET_OS_MAC /* XXX Broken krb5 headers on Mac */	79	#ifdef TARGET_OS_MAC /* XXX Broken krb5 headers on Mac */
79	#undef TARGET_OS_MAC	80	#undef TARGET_OS_MAC
80	#include "zlib.h"	81	#include "zlib.h"
Lines 920-925 mm_answer_authpassword(int sock, Buffer *m) Link Here
920		921
921	buffer_clear(m);	922	buffer_clear(m);
922	buffer_put_int(m, authenticated);	923	buffer_put_int(m, authenticated);
		924	#ifdef USE_PAM
		925	buffer_put_int(m, sshpam_get_maxtries_reached());
		926	#endif
923		927
924	debug3("%s: sending result %d", __func__, authenticated);	928	debug3("%s: sending result %d", __func__, authenticated);
925	mm_request_send(sock, MONITOR_ANS_AUTHPASSWORD, m);	929	mm_request_send(sock, MONITOR_ANS_AUTHPASSWORD, m);
Lines 1119-1124 mm_answer_pam_query(int sock, Buffer *m) Link Here
1119	free(name);	1123	free(name);
1120	buffer_put_cstring(m, info);	1124	buffer_put_cstring(m, info);
1121	free(info);	1125	free(info);
		1126	buffer_put_int(m, sshpam_get_maxtries_reached());
1122	buffer_put_int(m, num);	1127	buffer_put_int(m, num);
1123	for (i = 0; i < num; ++i) {	1128	for (i = 0; i < num; ++i) {
1124	buffer_put_cstring(m, prompts[i]);	1129	buffer_put_cstring(m, prompts[i]);

Lines 60-65 Link Here

(-)a/monitor_wrap.c (+5 lines)
60	#include "packet.h"	60	#include "packet.h"
61	#include "mac.h"	61	#include "mac.h"
62	#include "log.h"	62	#include "log.h"
		63	#include "auth-pam.h"
63	#ifdef TARGET_OS_MAC /* XXX Broken krb5 headers on Mac */	64	#ifdef TARGET_OS_MAC /* XXX Broken krb5 headers on Mac */
64	#undef TARGET_OS_MAC	65	#undef TARGET_OS_MAC
65	#include "zlib.h"	66	#include "zlib.h"
Lines 362-367 mm_auth_password(Authctxt authctxt, char password) Link Here
362	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUTHPASSWORD, &m);	363	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUTHPASSWORD, &m);
363		364
364	authenticated = buffer_get_int(&m);	365	authenticated = buffer_get_int(&m);
		366	#ifdef USE_PAM
		367	sshpam_set_maxtries_reached(buffer_get_int(&m));
		368	#endif
365		369
366	buffer_free(&m);	370	buffer_free(&m);
367		371
Lines 644-649 mm_sshpam_query(void ctx, char name, char *info, Link Here
644	debug3("%s: pam_query returned %d", __func__, ret);	648	debug3("%s: pam_query returned %d", __func__, ret);
645	*name = buffer_get_string(&m, NULL);	649	*name = buffer_get_string(&m, NULL);
646	*info = buffer_get_string(&m, NULL);	650	*info = buffer_get_string(&m, NULL);
		651	sshpam_set_maxtries_reached(buffer_get_int(&m));
647	*num = buffer_get_int(&m);	652	*num = buffer_get_int(&m);
648	if (*num > PAM_MAX_NUM_MSG)	653	if (*num > PAM_MAX_NUM_MSG)
649	fatal("%s: recieved %u PAM messages, expected <= %u",	654	fatal("%s: recieved %u PAM messages, expected <= %u",

Return to bug 2249