summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDarren Tucker <dtucker@dtucker.net>2020-08-07 09:12:16 +0200
committerDarren Tucker <dtucker@dtucker.net>2020-08-07 09:14:56 +0200
commited6bef77f5bb5b8f9ca2914478949e29f2f0a780 (patch)
tree045eaa656999dd458d14a88965b295766c3ea634
parentOutput test debug logs on failure. (diff)
downloadopenssh-ed6bef77f5bb5b8f9ca2914478949e29f2f0a780.tar.xz
openssh-ed6bef77f5bb5b8f9ca2914478949e29f2f0a780.zip
Always send any PAM account messages.
If the PAM account stack reaturns any messages, send them to the user not just if the check succeeds. bz#2049, ok djm@
-rw-r--r--auth2.c26
1 files changed, 13 insertions, 13 deletions
diff --git a/auth2.c b/auth2.c
index 91aaf34a6..242a7adbe 100644
--- a/auth2.c
+++ b/auth2.c
@@ -390,20 +390,20 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *method,
#ifdef USE_PAM
if (options.use_pam && authenticated) {
- int r;
-
- if (!PRIVSEP(do_pam_account())) {
- /* if PAM returned a message, send it to the user */
- if (sshbuf_len(loginmsg) > 0) {
- if ((r = sshbuf_put(loginmsg, "\0", 1)) != 0)
- fatal("%s: buffer error: %s",
- __func__, ssh_err(r));
- userauth_send_banner(ssh, sshbuf_ptr(loginmsg));
- if ((r = ssh_packet_write_wait(ssh)) != 0) {
- sshpkt_fatal(ssh, r,
- "%s: send PAM banner", __func__);
- }
+ int r, success = PRIVSEP(do_pam_account());
+
+ /* If PAM returned a message, send it to the user. */
+ if (sshbuf_len(loginmsg) > 0) {
+ if ((r = sshbuf_put(loginmsg, "\0", 1)) != 0)
+ fatal("%s: buffer error: %s",
+ __func__, ssh_err(r));
+ userauth_send_banner(ssh, sshbuf_ptr(loginmsg));
+ if ((r = ssh_packet_write_wait(ssh)) != 0) {
+ sshpkt_fatal(ssh, r,
+ "%s: send PAM banner", __func__);
}
+ }
+ if (!success) {
fatal("Access denied for user %s by PAM account "
"configuration", authctxt->user);
}