summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2004-11-28 12:31:03 +0000
committerColin Watson <cjwatson@debian.org>2004-11-28 12:31:03 +0000
commit9ebd617cc085a14c1a197f140b037a3679ba3e2e (patch)
tree2250f61f7e87ee984ca9b8c3d47b63c283c072f3
parent4ce1a4433f9ee75c4c5508db6e499db725882887 (diff)
Fix timing information leak allowing discovery of invalid usernames in PAM
keyboard-interactive authentication (backported from a patch by Darren Tucker; closes: #281595).
Diffstat
-rw-r--r--auth-pam.c6
-rw-r--r--auth2-chall.c11
-rw-r--r--debian/changelog8
3 files changed, 17 insertions, 8 deletions
diff --git a/auth-pam.c b/auth-pam.c
index 701d85b64..ec3b74951 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -169,6 +169,7 @@ static int sshpam_cred_established = 0;
169static int sshpam_account_status = -1; 169static int sshpam_account_status = -1;
170static char **sshpam_env = NULL; 170static char **sshpam_env = NULL;
171static Authctxt *sshpam_authctxt = NULL; 171static Authctxt *sshpam_authctxt = NULL;
172static char badpw[] = "\b\n\r\177INCORRECT";
172 173
173/* Some PAM implementations don't implement this */ 174/* Some PAM implementations don't implement this */
174#ifndef HAVE_PAM_GETENVLIST 175#ifndef HAVE_PAM_GETENVLIST
@@ -644,7 +645,10 @@ sshpam_respond(void *ctx, u_int num, char **resp)
644 return (-1); 645 return (-1);
645 } 646 }
646 buffer_init(&buffer); 647 buffer_init(&buffer);
647 buffer_put_cstring(&buffer, *resp); 648 if (sshpam_authctxt->valid)
649 buffer_put_cstring(&buffer, *resp);
650 else
651 buffer_put_cstring(&buffer, badpw);
648 if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) { 652 if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) {
649 buffer_free(&buffer); 653 buffer_free(&buffer);
650 return (-1); 654 return (-1);
diff --git a/auth2-chall.c b/auth2-chall.c
index aacbf0bcc..0f08b05c6 100644
--- a/auth2-chall.c
+++ b/auth2-chall.c
@@ -275,12 +275,9 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
275 } 275 }
276 packet_check_eom(); 276 packet_check_eom();
277 277
278 if (authctxt->valid) { 278 res = kbdintctxt->device->respond(kbdintctxt->ctxt, nresp, response);
279 res = kbdintctxt->device->respond(kbdintctxt->ctxt, 279 if (!authctxt->valid)
280 nresp, response); 280 res = 1; /* keep going if login invalid */
281 } else {
282 res = -1;
283 }
284 281
285 for (i = 0; i < nresp; i++) { 282 for (i = 0; i < nresp; i++) {
286 memset(response[i], 'r', strlen(response[i])); 283 memset(response[i], 'r', strlen(response[i]));
@@ -292,7 +289,7 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
292 switch (res) { 289 switch (res) {
293 case 0: 290 case 0:
294 /* Success! */ 291 /* Success! */
295 authenticated = 1; 292 authenticated = authctxt->valid ? 1 : 0;
296 break; 293 break;
297 case 1: 294 case 1:
298 /* Authentication needs further interaction */ 295 /* Authentication needs further interaction */
diff --git a/debian/changelog b/debian/changelog
index 4a53bef7e..8693c48ef 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
1openssh (1:3.8.1p1-8.sarge.4) UNRELEASED; urgency=high
2
3 * Fix timing information leak allowing discovery of invalid usernames in
4 PAM keyboard-interactive authentication (backported from a patch by
5 Darren Tucker; closes: #281595).
6
7 -- Colin Watson <cjwatson@debian.org> Sun, 28 Nov 2004 12:12:55 +0000
8
1openssh (1:3.8.1p1-8.sarge.3) unstable; urgency=low 9openssh (1:3.8.1p1-8.sarge.3) unstable; urgency=low
2 10
3 * Enable threading for PAM, on Sam Hartman's advice (closes: #278394). 11 * Enable threading for PAM, on Sam Hartman's advice (closes: #278394).
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-30 01:35:57 +0000