rutwa189 / rpms / openssh

Forked from rpms/openssh a year ago
Clone

Blame SOURCES/openssh-8.0p1-preserve-pam-errors.patch

9070b3
diff -up openssh-8.0p1/auth-pam.c.preserve-pam-errors openssh-8.0p1/auth-pam.c
9070b3
--- openssh-8.0p1/auth-pam.c.preserve-pam-errors	2021-03-31 17:03:15.618592347 +0200
9070b3
+++ openssh-8.0p1/auth-pam.c	2021-03-31 17:06:58.115220014 +0200
9070b3
@@ -511,7 +511,11 @@ sshpam_thread(void *ctxtp)
9070b3
 		goto auth_fail;
9070b3
 
9070b3
 	if (!do_pam_account()) {
9070b3
-		sshpam_err = PAM_ACCT_EXPIRED;
9070b3
+		/* Preserve PAM_PERM_DENIED and PAM_USER_UNKNOWN.
9070b3
+		 * Backward compatibility for other errors. */
9070b3
+		if (sshpam_err != PAM_PERM_DENIED
9070b3
+			&& sshpam_err != PAM_USER_UNKNOWN)
9070b3
+			sshpam_err = PAM_ACCT_EXPIRED;
9070b3
 		goto auth_fail;
9070b3
 	}
9070b3
 	if (sshpam_authctxt->force_pwchange) {
9070b3
@@ -568,8 +572,10 @@ sshpam_thread(void *ctxtp)
9070b3
 	    pam_strerror(sshpam_handle, sshpam_err))) != 0)
9070b3
 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
9070b3
 	/* XXX - can't do much about an error here */
9070b3
-	if (sshpam_err == PAM_ACCT_EXPIRED)
9070b3
-		ssh_msg_send(ctxt->pam_csock, PAM_ACCT_EXPIRED, buffer);
9070b3
+	if (sshpam_err == PAM_PERM_DENIED
9070b3
+		|| sshpam_err == PAM_USER_UNKNOWN
9070b3
+		|| sshpam_err == PAM_ACCT_EXPIRED)
9070b3
+		ssh_msg_send(ctxt->pam_csock, sshpam_err, buffer);
9070b3
 	else if (sshpam_maxtries_reached)
9070b3
 		ssh_msg_send(ctxt->pam_csock, PAM_MAXTRIES, buffer);
9070b3
 	else
9070b3
@@ -856,10 +862,12 @@ sshpam_query(void *ctx, char **name, cha
9070b3
 			plen++;
9070b3
 			free(msg);
9070b3
 			break;
9070b3
+		case PAM_USER_UNKNOWN:
9070b3
+		case PAM_PERM_DENIED:
9070b3
 		case PAM_ACCT_EXPIRED:
9070b3
+			sshpam_account_status = 0;
9070b3
+			/* FALLTHROUGH */
9070b3
 		case PAM_MAXTRIES:
9070b3
-			if (type == PAM_ACCT_EXPIRED)
9070b3
-				sshpam_account_status = 0;
9070b3
 			if (type == PAM_MAXTRIES)
9070b3
 				sshpam_set_maxtries_reached(1);
9070b3
 			/* FALLTHROUGH */