[openssh-commits] [openssh] 01/01: tighten PAM monitor calls
git+noreply at mindrot.org
git+noreply at mindrot.org
Wed Aug 31 10:49:35 AEST 2016
This is an automated email from the git hooks/post-receive script.
djm pushed a commit to branch master
in repository openssh.
commit 775f8a23f2353f5869003c57a213d14b28e0736e
Author: Damien Miller <djm at mindrot.org>
Date: Wed Aug 31 10:48:07 2016 +1000
tighten PAM monitor calls
only allow kbd-interactive ones when that authentication method is
enabled. Prompted by Solar Designer
---
monitor.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/monitor.c b/monitor.c
index 2dfe0c4..fc006eb 100644
--- a/monitor.c
+++ b/monitor.c
@@ -996,7 +996,8 @@ mm_answer_pam_start(int sock, Buffer *m)
start_pam(authctxt);
monitor_permit(mon_dispatch, MONITOR_REQ_PAM_ACCOUNT, 1);
- monitor_permit(mon_dispatch, MONITOR_REQ_PAM_INIT_CTX, 1);
+ if (options.kbd_interactive_authentication)
+ monitor_permit(mon_dispatch, MONITOR_REQ_PAM_INIT_CTX, 1);
return (0);
}
@@ -1007,7 +1008,7 @@ mm_answer_pam_account(int sock, Buffer *m)
u_int ret;
if (!options.use_pam)
- fatal("UsePAM not set, but ended up in %s anyway", __func__);
+ fatal("%s: PAM not enabled", __func__);
ret = do_pam_account();
@@ -1026,6 +1027,8 @@ int
mm_answer_pam_init_ctx(int sock, Buffer *m)
{
debug3("%s", __func__);
+ if (!options.kbd_interactive_authentication)
+ fatal("%s: kbd-int authentication not enabled", __func__);
if (sshpam_ctxt != NULL)
fatal("%s: already called", __func__);
sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
@@ -1053,7 +1056,8 @@ mm_answer_pam_query(int sock, Buffer *m)
sshpam_authok = NULL;
if (sshpam_ctxt == NULL)
fatal("%s: no context", __func__);
- ret = (sshpam_device.query)(sshpam_ctxt, &name, &info, &num, &prompts, &echo_on);
+ ret = (sshpam_device.query)(sshpam_ctxt, &name, &info,
+ &num, &prompts, &echo_on);
if (ret == 0 && num == 0)
sshpam_authok = sshpam_ctxt;
if (num > 1 || name == NULL || info == NULL)
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list