properly bail out when PAM changes username

OpenSSH doesn't support PAM changing its conception of the
username via a module calling pam_set_item(h, PAM_USER, ...).
We were supposed to bail out here, but I messed up while "fixing"
this last time and dropped a return statement.

Reported by Mike Damm

diff --git a/auth-pam.c b/auth-pam.c
index d2b3c348319ecb789912eb7a2068e2bffd8da4d0..29607e04134fd66158144410f18c14137a30b5cf 100644 (file)
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -474,6 +474,7 @@ check_pam_user(Authctxt *authctxt)
        if (strcmp(sshpam_initial_user, pam_user) != 0) {
                error_f("PAM user \"%s\" does not match previous \"%s\"",
                      pam_user, sshpam_initial_user);
+               return PAM_USER_UNKNOWN;
        }
        return PAM_SUCCESS;
 }