tells PAM the previous successful authentication methods in a PAM env…

…ironment variable

auth-pam.c

@@ -466,6 +466,7 @@ sshpam_thread(void *ctxtp)
 	    (const void *)&sshpam_conv);
 	if (sshpam_err != PAM_SUCCESS)
 		goto auth_fail;
+  do_pam_putenv("SSH_SUCCESSFUL_AUTH_METHODS", sshpam_authctxt->last_auth_methods);
 	sshpam_err = pam_authenticate(sshpam_handle, flags);
 	if (sshpam_err != PAM_SUCCESS)
 		goto auth_fail;
@@ -1203,6 +1204,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
 		fatal("PAM: %s: failed to set PAM_CONV: %s", __func__,
 		    pam_strerror(sshpam_handle, sshpam_err));
 
+  do_pam_putenv("SSH_SUCCESSFUL_AUTH_METHODS", authctxt->last_auth_methods);
 	sshpam_err = pam_authenticate(sshpam_handle, flags);
 	sshpam_password = NULL;
 	if (sshpam_err == PAM_SUCCESS && authctxt->valid) {

auth.h

@@ -69,6 +69,7 @@ struct Authctxt {
 #endif
 	char		**auth_methods;	/* modified from server config */
 	u_int		 num_auth_methods;
+  char  *last_auth_methods;
 #ifdef KRB5
 	krb5_context	 krb5_ctx;
 	krb5_ccache	 krb5_fwd_ccache;

auth2.c

@@ -596,6 +596,7 @@ auth2_update_methods_lists(Authctxt *authctxt, const char *method,
     const char *submethod)
 {
 	u_int i, found = 0;
+  char * am_copy = NULL;
 
 	debug3("%s: updating methods list after \"%s\"", __func__, method);
 	for (i = 0; i < authctxt->num_auth_methods; i++) {
@@ -613,6 +614,20 @@ auth2_update_methods_lists(Authctxt *authctxt, const char *method,
 	/* This should not happen, but would be bad if it did */
 	if (!found)
 		fatal("%s: method not in AuthenticationMethods", __func__);
+
+  if (authctxt->last_auth_methods == NULL) {
+    authctxt->last_auth_methods = xcalloc(strlen(method) + 2, sizeof(char));
+  } else {
+    am_copy = xstrdup(authctxt->last_auth_methods);
+    free(authctxt->last_auth_methods);
+    authctxt->last_auth_methods = xcalloc(strlen(am_copy) + strlen(method) + 2, sizeof(char));
+    strcpy(authctxt->last_auth_methods, am_copy);
+    free(am_copy);
+  }
+
+  strcat(authctxt->last_auth_methods, method);
+  if (authctxt->num_auth_methods != 1)
+    strcat(authctxt->last_auth_methods, ",");
 	return 0;
 }
 

session.c

@@ -731,7 +731,7 @@ do_exec_pty(Session *s, const char *command)
 
 	/* Enter interactive session. */
 	s->ptymaster = ptymaster;
-	packet_set_interactive(1, 
+	packet_set_interactive(1,
 	    options.ip_qos_interactive, options.ip_qos_bulk);
 	if (compat20) {
 		session_set_fds(s, ptyfd, fdout, -1, 1, 1);
@@ -1458,15 +1458,15 @@ safely_chroot(const char *path, uid_t uid)
 			memcpy(component, path, cp - path);
 			component[cp - path] = '\0';
 		}
-	
+
 		debug3("%s: checking '%s'", __func__, component);
 
 		if (stat(component, &st) != 0)
 			fatal("%s: stat(\"%s\"): %s", __func__,
 			    component, strerror(errno));
 		if (st.st_uid != 0 || (st.st_mode & 022) != 0)
 			fatal("bad ownership or modes for chroot "
-			    "directory %s\"%s\"", 
+			    "directory %s\"%s\"",
 			    cp == NULL ? "" : "component ", component);
 		if (!S_ISDIR(st.st_mode))
 			fatal("chroot path %s\"%s\" is not a directory",
@@ -1542,14 +1542,14 @@ do_setusercontext(struct passwd *pw)
 			perror("unable to set user context (setuser)");
 			exit(1);
 		}
-		/* 
+		/*
 		 * FreeBSD's setusercontext() will not apply the user's
 		 * own umask setting unless running with the user's UID.
 		 */
 		(void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUMASK);
 #else
 # ifdef USE_LIBIAF
-/* In a chroot environment, the set_id() will always fail; typically 
+/* In a chroot environment, the set_id() will always fail; typically
  * because of the lack of necessary authentication services and runtime
  * such as ./usr/lib/libiaf.so, ./usr/lib/libpam.so.1, and ./etc/passwd
  * We skip it in the internal sftp chroot case.
@@ -2739,6 +2739,8 @@ do_cleanup(Authctxt *authctxt)
 	if (authctxt == NULL)
 		return;
 
+  free(authctxt->last_auth_methods);
+
 #ifdef USE_PAM
 	if (options.use_pam) {
 		sshpam_cleanup();

sshconnect2.c

@@ -645,7 +645,7 @@ userauth_gssapi(Authctxt *authctxt)
 	while (mech < gss_supported->count && !ok) {
 		/* My DER encoding requires length<128 */
 		if (gss_supported->elements[mech].length < 128 &&
-		    ssh_gssapi_check_mechanism(&gssctxt, 
+		    ssh_gssapi_check_mechanism(&gssctxt,
 		    &gss_supported->elements[mech], authctxt->host)) {
 			ok = 1; /* Mechanism works */
 		} else {