|
|
2054b7 |
diff -up openssh-8.0p1/auth-pam.c.preserve-pam-errors openssh-8.0p1/auth-pam.c
|
|
|
2054b7 |
--- openssh-8.0p1/auth-pam.c.preserve-pam-errors 2021-03-31 17:03:15.618592347 +0200
|
|
|
2054b7 |
+++ openssh-8.0p1/auth-pam.c 2021-03-31 17:06:58.115220014 +0200
|
|
|
2054b7 |
@@ -511,7 +511,11 @@ sshpam_thread(void *ctxtp)
|
|
|
2054b7 |
goto auth_fail;
|
|
|
2054b7 |
|
|
|
2054b7 |
if (!do_pam_account()) {
|
|
|
2054b7 |
- sshpam_err = PAM_ACCT_EXPIRED;
|
|
|
2054b7 |
+ /* Preserve PAM_PERM_DENIED and PAM_USER_UNKNOWN.
|
|
|
2054b7 |
+ * Backward compatibility for other errors. */
|
|
|
2054b7 |
+ if (sshpam_err != PAM_PERM_DENIED
|
|
|
2054b7 |
+ && sshpam_err != PAM_USER_UNKNOWN)
|
|
|
2054b7 |
+ sshpam_err = PAM_ACCT_EXPIRED;
|
|
|
2054b7 |
goto auth_fail;
|
|
|
2054b7 |
}
|
|
|
2054b7 |
if (sshpam_authctxt->force_pwchange) {
|
|
|
2054b7 |
@@ -568,8 +572,10 @@ sshpam_thread(void *ctxtp)
|
|
|
2054b7 |
pam_strerror(sshpam_handle, sshpam_err))) != 0)
|
|
|
2054b7 |
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
|
|
2054b7 |
/* XXX - can't do much about an error here */
|
|
|
2054b7 |
- if (sshpam_err == PAM_ACCT_EXPIRED)
|
|
|
2054b7 |
- ssh_msg_send(ctxt->pam_csock, PAM_ACCT_EXPIRED, buffer);
|
|
|
2054b7 |
+ if (sshpam_err == PAM_PERM_DENIED
|
|
|
2054b7 |
+ || sshpam_err == PAM_USER_UNKNOWN
|
|
|
2054b7 |
+ || sshpam_err == PAM_ACCT_EXPIRED)
|
|
|
2054b7 |
+ ssh_msg_send(ctxt->pam_csock, sshpam_err, buffer);
|
|
|
2054b7 |
else if (sshpam_maxtries_reached)
|
|
|
2054b7 |
ssh_msg_send(ctxt->pam_csock, PAM_MAXTRIES, buffer);
|
|
|
2054b7 |
else
|
|
|
2054b7 |
@@ -856,10 +862,12 @@ sshpam_query(void *ctx, char **name, cha
|
|
|
2054b7 |
plen++;
|
|
|
2054b7 |
free(msg);
|
|
|
2054b7 |
break;
|
|
|
2054b7 |
+ case PAM_USER_UNKNOWN:
|
|
|
2054b7 |
+ case PAM_PERM_DENIED:
|
|
|
2054b7 |
case PAM_ACCT_EXPIRED:
|
|
|
2054b7 |
+ sshpam_account_status = 0;
|
|
|
2054b7 |
+ /* FALLTHROUGH */
|
|
|
2054b7 |
case PAM_MAXTRIES:
|
|
|
2054b7 |
- if (type == PAM_ACCT_EXPIRED)
|
|
|
2054b7 |
- sshpam_account_status = 0;
|
|
|
2054b7 |
if (type == PAM_MAXTRIES)
|
|
|
2054b7 |
sshpam_set_maxtries_reached(1);
|
|
|
2054b7 |
/* FALLTHROUGH */
|