From 142a0f8a83262b278d7d4eeaada2801a039c94c8 Mon Sep 17 00:00:00 2001
From: Matt Johnston <matt@ucc.asn.au>
Date: Thu, 3 Oct 2013 23:04:11 +0800
Subject: [PATCH] Send PAM error messages as a banner messages Patch from
 Martin Donnelly, modified.

---
 auth.h        |  1 +
 svr-auth.c    | 17 ++++++-----------
 svr-authpam.c | 16 ++++++++++++++++
 3 files changed, 23 insertions(+), 11 deletions(-)

diff --git a/auth.h b/auth.h
index df6634e1..3aed57bb 100644
--- a/auth.h
+++ b/auth.h
@@ -36,6 +36,7 @@ void cli_authinitialise();
 void recv_msg_userauth_request();
 void send_msg_userauth_failure(int partial, int incrfail);
 void send_msg_userauth_success();
+void send_msg_userauth_banner(buffer *msg);
 void svr_auth_password();
 void svr_auth_pubkey();
 void svr_auth_pam();
diff --git a/svr-auth.c b/svr-auth.c
index 01d45208..b8f01195 100644
--- a/svr-auth.c
+++ b/svr-auth.c
@@ -37,7 +37,6 @@
 
 static void authclear();
 static int checkusername(unsigned char *username, unsigned int userlen);
-static void send_msg_userauth_banner();
 
 /* initialise the first time for a session, resetting all parameters */
 void svr_authinitialise() {
@@ -82,24 +81,18 @@ static void authclear() {
 
 /* Send a banner message if specified to the client. The client might
  * ignore this, but possibly serves as a legal "no trespassing" sign */
-static void send_msg_userauth_banner() {
+void send_msg_userauth_banner(buffer *banner) {
 
 	TRACE(("enter send_msg_userauth_banner"))
-	if (svr_opts.banner == NULL) {
-		TRACE(("leave send_msg_userauth_banner: banner is NULL"))
-		return;
-	}
 
 	CHECKCLEARTOWRITE();
 
 	buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_BANNER);
-	buf_putstring(ses.writepayload, buf_getptr(svr_opts.banner,
-				svr_opts.banner->len), svr_opts.banner->len);
+	buf_putstring(ses.writepayload, buf_getptr(banner, banner->len),
+			banner->len);
 	buf_putstring(ses.writepayload, "en", 2);
 
 	encrypt_packet();
-	buf_free(svr_opts.banner);
-	svr_opts.banner = NULL;
 
 	TRACE(("leave send_msg_userauth_banner"))
 }
@@ -122,7 +115,9 @@ void recv_msg_userauth_request() {
 
 	/* send the banner if it exists, it will only exist once */
 	if (svr_opts.banner) {
-		send_msg_userauth_banner();
+		send_msg_userauth_banner(svr_opts.banner);
+		buf_free(svr_opts.banner);
+		svr_opts.banner = NULL;
 	}
 
 	username = buf_getstring(ses.payload, &userlen);
diff --git a/svr-authpam.c b/svr-authpam.c
index e84f076d..a586727d 100644
--- a/svr-authpam.c
+++ b/svr-authpam.c
@@ -142,6 +142,22 @@ pamConvFunc(int num_msg,
 			(*respp) = resp;
 			break;
 
+		case PAM_ERROR_MSG:
+		case PAM_TEXT_INFO:
+
+			if (msg_len > 0) {
+				buffer * pam_err = buf_new(msg_len + 4);
+				buf_setpos(pam_err, 0);
+				buf_putbytes(pam_err, "\r\n", 2);
+				buf_putbytes(pam_err, (*msg)->msg, msg_len);
+				buf_putbytes(pam_err, "\r\n", 2);
+				buf_setpos(pam_err, 0);
+
+				send_msg_userauth_banner(pam_err);
+				buf_free(pam_err);
+			}
+			break;
+
 		default:
 			TRACE(("Unknown message type"))
 			rc = PAM_CONV_ERR;
-- 
GitLab