5 files changed, 28 insertions, 11 deletions

diff --git a/sesman/auth.h b/sesman/auth.h
index 09bec2e9..39acc0b8 100644
--- a/sesman/auth.h
+++ b/sesman/auth.h
@@ -36,7 +36,7 @@
  *
  */
 long DEFAULT_CC
-auth_userpass(char* user, char* pass);
+auth_userpass(char* user, char* pass, int *errorcode);
 
 /**
  *
diff --git a/sesman/scp_v0.c b/sesman/scp_v0.c
index da6ab919..6ecb47b1 100644
--- a/sesman/scp_v0.c
+++ b/sesman/scp_v0.c
@@ -35,8 +35,9 @@ scp_v0_process(struct SCP_CONNECTION *c, struct SCP_SESSION *s)
     int display = 0;
     tbus data;
     struct session_item *s_item;
+    int errorcode = 0 ;
 
-    data = auth_userpass(s->username, s->password);
+    data = auth_userpass(s->username, s->password,&errorcode);
 
     if (s->type == SCP_GW_AUTHENTICATION)
     {
@@ -47,14 +48,14 @@ scp_v0_process(struct SCP_CONNECTION *c, struct SCP_SESSION *s)
             if (1 == access_login_allowed(s->username))
             {
                 /* the user is member of the correct groups. */
-                scp_v0s_replyauthentication(c, 0);
+                scp_v0s_replyauthentication(c, errorcode);
                 log_message(LOG_LEVEL_INFO, "Access permitted for user: %s",
                             s->username);
                 /* g_writeln("Connection allowed"); */
             }
             else
             {
-                scp_v0s_replyauthentication(c, 3);
+                scp_v0s_replyauthentication(c, 32+3); /* all first 32 are reserved for PAM errors */
                 log_message(LOG_LEVEL_INFO, "Username okey but group problem for "
                             "user: %s", s->username);
                 /* g_writeln("user password ok, but group problem"); */
@@ -65,7 +66,7 @@ scp_v0_process(struct SCP_CONNECTION *c, struct SCP_SESSION *s)
             /* g_writeln("username or password error"); */
             log_message(LOG_LEVEL_INFO, "Username or password error for user: %s",
                         s->username);
-            scp_v0s_replyauthentication(c, 2);
+            scp_v0s_replyauthentication(c, errorcode);
         }
 
         auth_end(data);
diff --git a/sesman/scp_v1.c b/sesman/scp_v1.c
index 295fbce4..d3f0ab7f 100644
--- a/sesman/scp_v1.c
+++ b/sesman/scp_v1.c
@@ -50,7 +50,7 @@ scp_v1_process(struct SCP_CONNECTION *c, struct SCP_SESSION *s)
     retries = g_cfg->sec.login_retry;
     current_try = retries;
 
-    data = auth_userpass(s->username, s->password);
+    data = auth_userpass(s->username, s->password,NULL);
     /*LOG_DBG("user: %s\npass: %s", s->username, s->password);*/
 
     while ((!data) && ((retries == 0) || (current_try > 0)))
@@ -65,7 +65,7 @@ scp_v1_process(struct SCP_CONNECTION *c, struct SCP_SESSION *s)
         {
             case SCP_SERVER_STATE_OK:
                 /* all ok, we got new username and password */
-                data = auth_userpass(s->username, s->password);
+                data = auth_userpass(s->username, s->password,NULL);
 
                 /* one try less */
                 if (current_try > 0)
diff --git a/sesman/scp_v1_mng.c b/sesman/scp_v1_mng.c
index 0e20007d..9d1da0f5 100644
--- a/sesman/scp_v1_mng.c
+++ b/sesman/scp_v1_mng.c
@@ -42,7 +42,7 @@ scp_v1_mng_process(struct SCP_CONNECTION *c, struct SCP_SESSION *s)
     int scount;
     int end = 0;
 
-    data = auth_userpass(s->username, s->password);
+    data = auth_userpass(s->username, s->password,NULL);
     /*LOG_DBG("user: %s\npass: %s", s->username, s->password);*/
 
     if (!data)
diff --git a/sesman/verify_user_pam.c b/sesman/verify_user_pam.c
index b81398de..b7a7bef7 100644
--- a/sesman/verify_user_pam.c
+++ b/sesman/verify_user_pam.c
@@ -98,9 +98,11 @@ get_service_name(char *service_name)
 }
 
 /******************************************************************************/
-/* returns long, zero is no go */
+/* returns long, zero is no go 
+ Stores the detailed error code in the errorcode variable*/
+
 long DEFAULT_CC
-auth_userpass(char *user, char *pass)
+auth_userpass(char *user, char *pass, int *errorcode)
 {
     int error;
     struct t_auth_info *auth_info;
@@ -116,6 +118,9 @@ auth_userpass(char *user, char *pass)
 
     if (error != PAM_SUCCESS)
     {
+	if(errorcode!=NULL){
+		*errorcode = error ;
+	}
         g_printf("pam_start failed: %s\r\n", pam_strerror(auth_info->ph, error));
         g_free(auth_info);
         return 0;
@@ -125,16 +130,27 @@ auth_userpass(char *user, char *pass)
 
     if (error != PAM_SUCCESS)
     {
+	if(errorcode!=NULL){
+		*errorcode = error ;
+	}
         g_printf("pam_authenticate failed: %s\r\n",
                  pam_strerror(auth_info->ph, error));
         g_free(auth_info);
         return 0;
     }
-
+    /* From man page:  
+       The pam_acct_mgmt function is used to determine if the users account is
+       valid. It checks for authentication token and account expiration and
+       verifies access restrictions. It is typically called after the user has
+       been authenticated.
+     */
     error = pam_acct_mgmt(auth_info->ph, 0);
 
     if (error != PAM_SUCCESS)
     {
+	if(errorcode!=NULL){
+		*errorcode = error ;
+	}
         g_printf("pam_acct_mgmt failed: %s\r\n",
                  pam_strerror(auth_info->ph, error));
         g_free(auth_info);