login: do reject wrong passwords with PAM auth
authorvda <vda@69ca8d6d-28ef-0310-b511-8ec308f3f277>
Mon, 3 Sep 2007 11:56:27 +0000 (11:56 +0000)
committervda <vda@69ca8d6d-28ef-0310-b511-8ec308f3f277>
Mon, 3 Sep 2007 11:56:27 +0000 (11:56 +0000)
git-svn-id: svn://busybox.net/trunk/busybox@19775 69ca8d6d-28ef-0310-b511-8ec308f3f277

loginutils/login.c

index 3b4cf2a..5d50538 100644 (file)
@@ -307,18 +307,26 @@ int login_main(int argc, char **argv)
                        goto pam_auth_failed;
                }
                pamret = pam_authenticate(pamh, 0);
-               if (pamret == PAM_SUCCESS) {
-                       char *pamuser;
-                       /* check that the account is healthy. */
-                       pamret = pam_acct_mgmt(pamh, 0);
-                       if (pamret != PAM_SUCCESS) {
-                               failed_msg = "account setup";
-                               goto pam_auth_failed;
-                       }
-                       /* read user back */
+               if (pamret != PAM_SUCCESS) {
+                       failed_msg = "pam_authenticate";
+                       goto pam_auth_failed;
+                       /* TODO: or just "goto auth_failed"
+                        * since user seems to enter wrong password
+                        * (in this case pamret == 7)
+                        */
+               }
+               /* check that the account is healthy */
+               pamret = pam_acct_mgmt(pamh, 0);
+               if (pamret != PAM_SUCCESS) {
+                       failed_msg = "account setup";
+                       goto pam_auth_failed;
+               }
+               /* read user back */
+               {
+                       const char *pamuser;
                        /* gcc: "dereferencing type-punned pointer breaks aliasing rules..."
-                        * thus we use double cast */
-                       if (pam_get_item(pamh, PAM_USER, (const void **)(void*)&pamuser) != PAM_SUCCESS) {
+                        * thus we cast to (void*) */
+                       if (pam_get_item(pamh, PAM_USER, (void*)&pamuser) != PAM_SUCCESS) {
                                failed_msg = "pam_get_item(USER)";
                                goto pam_auth_failed;
                        }
@@ -331,7 +339,7 @@ int login_main(int argc, char **argv)
                        break;
                goto auth_failed;
  pam_auth_failed:
-               bb_error_msg("%s failed: %s", failed_msg, pam_strerror(pamh, pamret));
+               bb_error_msg("%s failed: %s (%d)", failed_msg, pam_strerror(pamh, pamret), pamret);
                safe_strncpy(username, "UNKNOWN", sizeof(username));
 #else /* not PAM */
                pw = getpwnam(username);
@@ -360,6 +368,7 @@ int login_main(int argc, char **argv)
  auth_failed:
                opt &= ~LOGIN_OPT_f;
                bb_do_delay(FAIL_DELAY);
+               /* TODO: doesn't sound like correct English phrase to me */
                puts("Login incorrect");
                if (++count == 3) {
                        syslog(LOG_WARNING, "invalid password for '%s'%s",