Send PAM error messages as a banner messages

Patch from Martin Donnelly, modified.
2025-06-26 18:17:32 +00:00 · 2013-10-03 23:04:11 +08:00 · 2013-10-03 23:04:11 +08:00 · 142a0f8a83
commit 142a0f8a83
parent d1dec41f76
3 changed files with 23 additions and 11 deletions
--- a/auth.h
+++ b/auth.h
@ -36,6 +36,7 @@ void cli_authinitialise();
 void recv_msg_userauth_request();
 void send_msg_userauth_failure(int partial, int incrfail);
 void send_msg_userauth_success();
+void send_msg_userauth_banner(buffer *msg);
 void svr_auth_password();
 void svr_auth_pubkey();
 void svr_auth_pam();
--- a/svr-auth.c
+++ b/svr-auth.c
@ -37,7 +37,6 @@

 static void authclear();
 static int checkusername(unsigned char *username, unsigned int userlen);
-static void send_msg_userauth_banner();

 /* initialise the first time for a session, resetting all parameters */
 void svr_authinitialise() {
@ -82,24 +81,18 @@ static void authclear() {

 /* Send a banner message if specified to the client. The client might
 * ignore this, but possibly serves as a legal "no trespassing" sign */
-static void send_msg_userauth_banner() {
+void send_msg_userauth_banner(buffer *banner) {

 	TRACE(("enter send_msg_userauth_banner"))
-	if (svr_opts.banner == NULL) {
-		TRACE(("leave send_msg_userauth_banner: banner is NULL"))
-		return;
-	}

 	CHECKCLEARTOWRITE();

 	buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_BANNER);
-	buf_putstring(ses.writepayload, buf_getptr(svr_opts.banner,
-				svr_opts.banner->len), svr_opts.banner->len);
+	buf_putstring(ses.writepayload, buf_getptr(banner, banner->len),
+			banner->len);
 	buf_putstring(ses.writepayload, "en", 2);

 	encrypt_packet();
-	buf_free(svr_opts.banner);
-	svr_opts.banner = NULL;

 	TRACE(("leave send_msg_userauth_banner"))
 }
@ -122,7 +115,9 @@ void recv_msg_userauth_request() {

 	/* send the banner if it exists, it will only exist once */
 	if (svr_opts.banner) {
-		send_msg_userauth_banner();
+		send_msg_userauth_banner(svr_opts.banner);
+		buf_free(svr_opts.banner);
+		svr_opts.banner = NULL;
 	}

 	username = buf_getstring(ses.payload, &userlen);
--- a/svr-authpam.c
+++ b/svr-authpam.c
@ -142,6 +142,22 @@ pamConvFunc(int num_msg,
 			(*respp) = resp;
 			break;

+		case PAM_ERROR_MSG:
+		case PAM_TEXT_INFO:
+
+			if (msg_len > 0) {
+				buffer * pam_err = buf_new(msg_len + 4);
+				buf_setpos(pam_err, 0);
+				buf_putbytes(pam_err, "\r\n", 2);
+				buf_putbytes(pam_err, (*msg)->msg, msg_len);
+				buf_putbytes(pam_err, "\r\n", 2);
+				buf_setpos(pam_err, 0);
+
+				send_msg_userauth_banner(pam_err);
+				buf_free(pam_err);
+			}
+			break;
+
 		default:
 			TRACE(("Unknown message type"))
 			rc = PAM_CONV_ERR;