diff options
| author | Darren Tucker <dtucker@zip.com.au> | 2005-01-20 13:27:56 +1100 |
|---|---|---|
| committer | Darren Tucker <dtucker@zip.com.au> | 2005-01-20 13:27:56 +1100 |
| commit | d231186fd0acb8fee480faf61c4e9e4cc6186faf (patch) | |
| tree | 8694e5e7b33ad54e28ef15369938755373423c02 /auth-pam.c | |
| parent | 36a3d60347f23528695e550317d5ba6d63e6b0f4 (diff) | |
- djm@cvs.openbsd.org 2004/12/22 02:13:19
[cipher-ctr.c cipher.c]
remove fallback AES support for old OpenSSL, as OpenBSD has had it for
many years now; ok deraadt@
(Id sync only: Portable will continue to support older OpenSSLs)
Diffstat (limited to 'auth-pam.c')
| -rw-r--r-- | auth-pam.c | 26 |
1 files changed, 16 insertions, 10 deletions
diff --git a/auth-pam.c b/auth-pam.c index 996964fcd..5bffe338f 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -47,7 +47,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.119 2005/01/20 01:43:39 dtucker Exp $"); +RCSID("$Id: auth-pam.c,v 1.120 2005/01/20 02:27:56 dtucker Exp $"); #ifdef USE_PAM #if defined(HAVE_SECURITY_PAM_APPL_H) @@ -245,6 +245,17 @@ sshpam_password_change_required(int reqd) } } +/* Check ssh internal flags in addition to PAM */ + +static int +sshpam_login_allowed(Authctxt *ctxt) +{ + if (ctxt->valid && (ctxt->pw->pw_uid != 0 || + options.permit_root_login == PERMIT_YES)) + return 1; + return 0; +} + /* Import regular and PAM environment from subprocess */ static void import_environments(Buffer *b) @@ -702,9 +713,7 @@ sshpam_query(void *ctx, char **name, char **info, **prompts = NULL; } if (type == PAM_SUCCESS) { - if (!sshpam_authctxt->valid || - (sshpam_authctxt->pw->pw_uid == 0 && - options.permit_root_login != PERMIT_YES)) + if (!sshpam_login_allowed(sshpam_authctxt)) fatal("Internal error: PAM auth " "succeeded when it should have " "failed"); @@ -753,9 +762,7 @@ sshpam_respond(void *ctx, u_int num, char **resp) return (-1); } buffer_init(&buffer); - if (sshpam_authctxt->valid && - (sshpam_authctxt->pw->pw_uid != 0 || - options.permit_root_login == PERMIT_YES)) + if (sshpam_login_allowed(sshpam_authctxt)) buffer_put_cstring(&buffer, *resp); else buffer_put_cstring(&buffer, badpw); @@ -1118,8 +1125,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password) * by PermitRootLogin, use an invalid password to prevent leaking * information via timing (eg if the PAM config has a delay on fail). */ - if (!authctxt->valid || (authctxt->pw->pw_uid == 0 && - options.permit_root_login != PERMIT_YES)) + if (!sshpam_login_allowed(authctxt)) sshpam_password = badpw; sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, @@ -1130,7 +1136,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password) sshpam_err = pam_authenticate(sshpam_handle, flags); sshpam_password = NULL; - if (sshpam_err == PAM_SUCCESS && authctxt->valid) { + if (sshpam_err == PAM_SUCCESS && sshpam_login_allowed(authctxt)) { debug("PAM: password authentication accepted for %.100s", authctxt->user); return 1; |