PAM auth with disabled user
Darren Tucker
dtucker at zip.com.au
Sat Jan 14 14:15:18 EST 2006
On Sat, Jan 14, 2006 at 01:47:30PM +1100, Darren Tucker wrote:
[...]
> We're not going to add another knob to sshd for this but we can fix the
> kbdint thing above so it's consistent with the behaviour for the other
> auth types. It should then do what you want, right?
Please try this patch on top of a current snapshot. It's pretty ugly but
seems to work. Hopefully there's a nicer way...
Index: auth-pam.c
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.c,v
retrieving revision 1.127
diff -u -p -r1.127 auth-pam.c
--- auth-pam.c 28 Sep 2005 12:33:27 -0000 1.127
+++ auth-pam.c 14 Jan 2006 03:12:19 -0000
@@ -439,8 +439,8 @@ sshpam_thread(void *ctxtp)
goto auth_fail;
if (compat20) {
- if (!do_pam_account())
- goto auth_fail;
+ do_pam_account();
+ sshpam_err = PAM_SUCCESS;
if (sshpam_authctxt->force_pwchange) {
sshpam_err = pam_chauthtok(sshpam_handle,
PAM_CHANGE_EXPIRED_AUTHTOK);
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list