summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog3
-rw-r--r--auth-pam.c23
2 files changed, 18 insertions, 8 deletions
diff --git a/ChangeLog b/ChangeLog
index 61993bb0..3030dad1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,6 @@
+20001014
+ - (djm) Don't accept PAM_PROMPT_ECHO_ON messages during initial auth
+
20001007
- (stevesk) Print PAM return value in PAM log messages to aid
with debugging.
diff --git a/auth-pam.c b/auth-pam.c
index 57a558d8..f4cbd46e 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -29,7 +29,7 @@
#include "xmalloc.h"
#include "servconf.h"
-RCSID("$Id: auth-pam.c,v 1.14 2000/10/07 11:16:55 stevesk Exp $");
+RCSID("$Id: auth-pam.c,v 1.15 2000/10/14 00:16:12 djm Exp $");
#define NEW_AUTHTOK_MSG \
"Warning: Your password has expired, please change it now"
@@ -83,11 +83,16 @@ static int pamconv(int num_msg, const struct pam_message **msg,
for (count = 0; count < num_msg; count++) {
switch ((*msg)[count].msg_style) {
case PAM_PROMPT_ECHO_ON:
- fputs((*msg)[count].msg, stderr);
- fgets(buf, sizeof(buf), stdin);
- reply[count].resp = xstrdup(buf);
- reply[count].resp_retcode = PAM_SUCCESS;
- break;
+ if (pamstate == INITIAL_LOGIN) {
+ free(reply);
+ return PAM_CONV_ERR;
+ } else {
+ fputs((*msg)[count].msg, stderr);
+ fgets(buf, sizeof(buf), stdin);
+ reply[count].resp = xstrdup(buf);
+ reply[count].resp_retcode = PAM_SUCCESS;
+ break;
+ }
case PAM_PROMPT_ECHO_OFF:
if (pamstate == INITIAL_LOGIN) {
if (pampasswd == NULL) {
@@ -95,8 +100,10 @@ static int pamconv(int num_msg, const struct pam_message **msg,
return PAM_CONV_ERR;
}
reply[count].resp = xstrdup(pampasswd);
- } else
- reply[count].resp = xstrdup(read_passphrase((*msg)[count].msg, 1));
+ } else {
+ reply[count].resp =
+ xstrdup(read_passphrase((*msg)[count].msg, 1));
+ }
reply[count].resp_retcode = PAM_SUCCESS;
break;
case PAM_ERROR_MSG: