1 files changed, 29 insertions, 4 deletions

diff --git a/crypto/openssh/auth1.c b/crypto/openssh/auth1.c
index 3f93b9869f1e2..d08928455c523 100644
--- a/crypto/openssh/auth1.c
+++ b/crypto/openssh/auth1.c
@@ -25,9 +25,11 @@ RCSID("$OpenBSD: auth1.c,v 1.59 2004/07/28 09:40:29 markus Exp $");
 #include "session.h"
 #include "uidswap.h"
 #include "monitor_wrap.h"
+#include "buffer.h"
 
 /* import */
 extern ServerOptions options;
+extern Buffer loginmsg;
 
 /*
  * convert ssh auth msg type into description
@@ -245,14 +247,33 @@ do_authloop(Authctxt *authctxt)
 #else
 		/* Special handling for root */
 		if (authenticated && authctxt->pw->pw_uid == 0 &&
-		    !auth_root_allowed(get_authname(type)))
+		    !auth_root_allowed(get_authname(type))) {
 			authenticated = 0;
+# ifdef SSH_AUDIT_EVENTS
+			PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED));
+# endif
+		}
 #endif
 
 #ifdef USE_PAM
 		if (options.use_pam && authenticated &&
-		    !PRIVSEP(do_pam_account()))
-			authenticated = 0;
+		    !PRIVSEP(do_pam_account())) {
+			char *msg;
+			size_t len;
+
+			error("Access denied for user %s by PAM account "
+			   "configuration", authctxt->user);
+			len = buffer_len(&loginmsg);
+			buffer_append(&loginmsg, "\0", 1);
+			msg = buffer_ptr(&loginmsg);
+			/* strip trailing newlines */
+			if (len > 0)
+				while (len > 0 && msg[--len] == '\n')
+					msg[len] = '\0';
+			else
+				msg = "Access denied.";
+			packet_disconnect(msg);
+		}
 #endif
 
 		/* Log before sending the reply */
@@ -266,8 +287,12 @@ do_authloop(Authctxt *authctxt)
 		if (authenticated)
 			return;
 
-		if (authctxt->failures++ > options.max_authtries)
+		if (authctxt->failures++ > options.max_authtries) {
+#ifdef SSH_AUDIT_EVENTS
+			PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
+#endif
 			packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
+		}
 
 		packet_start(SSH_SMSG_FAILURE);
 		packet_send();