summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2003-09-03 00:30:53 +0000
committerColin Watson <cjwatson@debian.org>2003-09-03 00:30:53 +0000
commit39d9195514df907a6f1eb6fc10688860af83f43b (patch)
tree408c7952c02772fdc10267265526d0b6d2526190
parentd702e4063b641afb252fe6029553ebffac0dd81a (diff)
Fix login delay, spurious auth.log entry, and PermitRootLogin information
leakage due to PAM issues with upstream's recent security update (thanks, Darren Tucker; closes: #99168, #192207, #193546).
Diffstat
-rw-r--r--auth-passwd.c8
-rw-r--r--auth1.c2
-rw-r--r--auth2-none.c2
-rw-r--r--debian/changelog5
4 files changed, 15 insertions, 2 deletions
diff --git a/auth-passwd.c b/auth-passwd.c
index 62ea3a52d..2307c1e5e 100644
--- a/auth-passwd.c
+++ b/auth-passwd.c
@@ -125,6 +125,14 @@ auth_password(Authctxt *authctxt, const char *password)
125 ok = 0; 125 ok = 0;
126 126
127#if defined(USE_PAM) 127#if defined(USE_PAM)
128 /*
129 * If the user logging in is root and RootLogin=no, always attempt
130 * an invalid root login to prevent leaking timing information
131 */
132 if (pw && pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) {
133 auth_pam_password(authctxt, "\b\n\r\177INCORRECT");
134 return 0;
135 }
128 return auth_pam_password(authctxt, password) && ok; 136 return auth_pam_password(authctxt, password) && ok;
129#elif defined(HAVE_OSF_SIA) 137#elif defined(HAVE_OSF_SIA)
130 if (!ok) 138 if (!ok)
diff --git a/auth1.c b/auth1.c
index c273f2fb6..b7e10abd0 100644
--- a/auth1.c
+++ b/auth1.c
@@ -80,7 +80,7 @@ do_authloop(Authctxt *authctxt)
80 authctxt->valid ? "" : "illegal user ", authctxt->user); 80 authctxt->valid ? "" : "illegal user ", authctxt->user);
81 81
82 /* If the user has no password, accept authentication immediately. */ 82 /* If the user has no password, accept authentication immediately. */
83 if (options.password_authentication && 83 if (options.password_authentication && options.permit_empty_passwd &&
84#if defined(KRB4) || defined(KRB5) 84#if defined(KRB4) || defined(KRB5)
85 (!options.kerberos_authentication || options.kerberos_or_local_passwd) && 85 (!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
86#endif 86#endif
diff --git a/auth2-none.c b/auth2-none.c
index 692a2961f..46a4c617e 100644
--- a/auth2-none.c
+++ b/auth2-none.c
@@ -100,6 +100,8 @@ userauth_none(Authctxt *authctxt)
100 if (check_nt_auth(1, authctxt->pw) == 0) 100 if (check_nt_auth(1, authctxt->pw) == 0)
101 return(0); 101 return(0);
102#endif 102#endif
103 if (options.permit_empty_passwd == 0)
104 return 0;
103 return PRIVSEP(auth_password(authctxt, "")) && authctxt->valid; 105 return PRIVSEP(auth_password(authctxt, "")) && authctxt->valid;
104} 106}
105 107
diff --git a/debian/changelog b/debian/changelog
index b691f4231..7c0c9b952 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,10 +1,13 @@
1openssh (1:3.6.1p2-6) UNRELEASED; urgency=low 1openssh (1:3.6.1p2-6) UNRELEASED; urgency=medium
2 2
3 * Use a more CVS-friendly means of setting SSH_VERSION. 3 * Use a more CVS-friendly means of setting SSH_VERSION.
4 * Update Brazilian Portuguese debconf template translation (thanks, Andre 4 * Update Brazilian Portuguese debconf template translation (thanks, Andre
5 Luis Lopes; closes: #208036). 5 Luis Lopes; closes: #208036).
6 * Don't run 'sshd -t' in init script if the server isn't to be run 6 * Don't run 'sshd -t' in init script if the server isn't to be run
7 (closes: #197576). 7 (closes: #197576).
8 * Fix login delay, spurious auth.log entry, and PermitRootLogin
9 information leakage due to PAM issues with upstream's recent security
10 update (thanks, Darren Tucker; closes: #99168, #192207, #193546).
8 * Policy version 3.6.1: recode this changelog to UTF-8. 11 * Policy version 3.6.1: recode this changelog to UTF-8.
9 12
10 -- Colin Watson <cjwatson@debian.org> Mon, 1 Sep 2003 23:56:57 +0100 13 -- Colin Watson <cjwatson@debian.org> Mon, 1 Sep 2003 23:56:57 +0100
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-31 03:47:23 +0000