diff options
| author | Darren Tucker <dtucker@zip.com.au> | 2005-01-20 13:27:56 +1100 |
|---|---|---|
| committer | Darren Tucker <dtucker@zip.com.au> | 2005-01-20 13:27:56 +1100 |
| commit | d231186fd0acb8fee480faf61c4e9e4cc6186faf (patch) | |
| tree | 8694e5e7b33ad54e28ef15369938755373423c02 | |
| parent | 36a3d60347f23528695e550317d5ba6d63e6b0f4 (diff) | |
- djm@cvs.openbsd.org 2004/12/22 02:13:19
[cipher-ctr.c cipher.c]
remove fallback AES support for old OpenSSL, as OpenBSD has had it for
many years now; ok deraadt@
(Id sync only: Portable will continue to support older OpenSSLs)
| -rw-r--r-- | ChangeLog | 7 | ||||
| -rw-r--r-- | auth-pam.c | 26 | ||||
| -rw-r--r-- | cipher-ctr.c | 2 | ||||
| -rw-r--r-- | cipher.c | 2 |
4 files changed, 24 insertions, 13 deletions
| @@ -30,6 +30,11 @@ | |||
| 30 | behaviour for bsdauth is maintained by checking authctxt->valid in the | 30 | behaviour for bsdauth is maintained by checking authctxt->valid in the |
| 31 | bsdauth driver. Note that any third-party kbdint drivers will now need | 31 | bsdauth driver. Note that any third-party kbdint drivers will now need |
| 32 | to be able to handle responses for invalid logins. ok markus@ | 32 | to be able to handle responses for invalid logins. ok markus@ |
| 33 | - djm@cvs.openbsd.org 2004/12/22 02:13:19 | ||
| 34 | [cipher-ctr.c cipher.c] | ||
| 35 | remove fallback AES support for old OpenSSL, as OpenBSD has had it for | ||
| 36 | many years now; ok deraadt@ | ||
| 37 | (Id sync only: Portable will continue to support older OpenSSLs) | ||
| 33 | - (dtucker) [auth-pam.c] Bug #971: Prevent leaking information about user | 38 | - (dtucker) [auth-pam.c] Bug #971: Prevent leaking information about user |
| 34 | existence via keyboard-interactive/pam, in conjunction with previous | 39 | existence via keyboard-interactive/pam, in conjunction with previous |
| 35 | auth2-chall.c change; with Colin Watson and djm. | 40 | auth2-chall.c change; with Colin Watson and djm. |
| @@ -2005,4 +2010,4 @@ | |||
| 2005 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM | 2010 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM |
| 2006 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu | 2011 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu |
| 2007 | 2012 | ||
| 2008 | $Id: ChangeLog,v 1.3617 2005/01/20 01:43:38 dtucker Exp $ | 2013 | $Id: ChangeLog,v 1.3618 2005/01/20 02:27:56 dtucker Exp $ |
diff --git a/auth-pam.c b/auth-pam.c index 996964fcd..5bffe338f 100644 --- a/auth-pam.c +++ b/auth-pam.c | |||
| @@ -47,7 +47,7 @@ | |||
| 47 | 47 | ||
| 48 | /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ | 48 | /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ |
| 49 | #include "includes.h" | 49 | #include "includes.h" |
| 50 | RCSID("$Id: auth-pam.c,v 1.119 2005/01/20 01:43:39 dtucker Exp $"); | 50 | RCSID("$Id: auth-pam.c,v 1.120 2005/01/20 02:27:56 dtucker Exp $"); |
| 51 | 51 | ||
| 52 | #ifdef USE_PAM | 52 | #ifdef USE_PAM |
| 53 | #if defined(HAVE_SECURITY_PAM_APPL_H) | 53 | #if defined(HAVE_SECURITY_PAM_APPL_H) |
| @@ -245,6 +245,17 @@ sshpam_password_change_required(int reqd) | |||
| 245 | } | 245 | } |
| 246 | } | 246 | } |
| 247 | 247 | ||
| 248 | /* Check ssh internal flags in addition to PAM */ | ||
| 249 | |||
| 250 | static int | ||
| 251 | sshpam_login_allowed(Authctxt *ctxt) | ||
| 252 | { | ||
| 253 | if (ctxt->valid && (ctxt->pw->pw_uid != 0 || | ||
| 254 | options.permit_root_login == PERMIT_YES)) | ||
| 255 | return 1; | ||
| 256 | return 0; | ||
| 257 | } | ||
| 258 | |||
| 248 | /* Import regular and PAM environment from subprocess */ | 259 | /* Import regular and PAM environment from subprocess */ |
| 249 | static void | 260 | static void |
| 250 | import_environments(Buffer *b) | 261 | import_environments(Buffer *b) |
| @@ -702,9 +713,7 @@ sshpam_query(void *ctx, char **name, char **info, | |||
| 702 | **prompts = NULL; | 713 | **prompts = NULL; |
| 703 | } | 714 | } |
| 704 | if (type == PAM_SUCCESS) { | 715 | if (type == PAM_SUCCESS) { |
| 705 | if (!sshpam_authctxt->valid || | 716 | if (!sshpam_login_allowed(sshpam_authctxt)) |
| 706 | (sshpam_authctxt->pw->pw_uid == 0 && | ||
| 707 | options.permit_root_login != PERMIT_YES)) | ||
| 708 | fatal("Internal error: PAM auth " | 717 | fatal("Internal error: PAM auth " |
| 709 | "succeeded when it should have " | 718 | "succeeded when it should have " |
| 710 | "failed"); | 719 | "failed"); |
| @@ -753,9 +762,7 @@ sshpam_respond(void *ctx, u_int num, char **resp) | |||
| 753 | return (-1); | 762 | return (-1); |
| 754 | } | 763 | } |
| 755 | buffer_init(&buffer); | 764 | buffer_init(&buffer); |
| 756 | if (sshpam_authctxt->valid && | 765 | if (sshpam_login_allowed(sshpam_authctxt)) |
| 757 | (sshpam_authctxt->pw->pw_uid != 0 || | ||
| 758 | options.permit_root_login == PERMIT_YES)) | ||
| 759 | buffer_put_cstring(&buffer, *resp); | 766 | buffer_put_cstring(&buffer, *resp); |
| 760 | else | 767 | else |
| 761 | buffer_put_cstring(&buffer, badpw); | 768 | buffer_put_cstring(&buffer, badpw); |
| @@ -1118,8 +1125,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password) | |||
| 1118 | * by PermitRootLogin, use an invalid password to prevent leaking | 1125 | * by PermitRootLogin, use an invalid password to prevent leaking |
| 1119 | * information via timing (eg if the PAM config has a delay on fail). | 1126 | * information via timing (eg if the PAM config has a delay on fail). |
| 1120 | */ | 1127 | */ |
| 1121 | if (!authctxt->valid || (authctxt->pw->pw_uid == 0 && | 1128 | if (!sshpam_login_allowed(authctxt)) |
| 1122 | options.permit_root_login != PERMIT_YES)) | ||
| 1123 | sshpam_password = badpw; | 1129 | sshpam_password = badpw; |
| 1124 | 1130 | ||
| 1125 | sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, | 1131 | sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, |
| @@ -1130,7 +1136,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password) | |||
| 1130 | 1136 | ||
| 1131 | sshpam_err = pam_authenticate(sshpam_handle, flags); | 1137 | sshpam_err = pam_authenticate(sshpam_handle, flags); |
| 1132 | sshpam_password = NULL; | 1138 | sshpam_password = NULL; |
| 1133 | if (sshpam_err == PAM_SUCCESS && authctxt->valid) { | 1139 | if (sshpam_err == PAM_SUCCESS && sshpam_login_allowed(authctxt)) { |
| 1134 | debug("PAM: password authentication accepted for %.100s", | 1140 | debug("PAM: password authentication accepted for %.100s", |
| 1135 | authctxt->user); | 1141 | authctxt->user); |
| 1136 | return 1; | 1142 | return 1; |
diff --git a/cipher-ctr.c b/cipher-ctr.c index 395dabedd..43f1ede57 100644 --- a/cipher-ctr.c +++ b/cipher-ctr.c | |||
| @@ -14,7 +14,7 @@ | |||
| 14 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | 14 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
| 15 | */ | 15 | */ |
| 16 | #include "includes.h" | 16 | #include "includes.h" |
| 17 | RCSID("$OpenBSD: cipher-ctr.c,v 1.4 2004/02/06 23:41:13 dtucker Exp $"); | 17 | RCSID("$OpenBSD: cipher-ctr.c,v 1.5 2004/12/22 02:13:19 djm Exp $"); |
| 18 | 18 | ||
| 19 | #include <openssl/evp.h> | 19 | #include <openssl/evp.h> |
| 20 | 20 | ||
| @@ -35,7 +35,7 @@ | |||
| 35 | */ | 35 | */ |
| 36 | 36 | ||
| 37 | #include "includes.h" | 37 | #include "includes.h" |
| 38 | RCSID("$OpenBSD: cipher.c,v 1.71 2004/07/28 09:40:29 markus Exp $"); | 38 | RCSID("$OpenBSD: cipher.c,v 1.72 2004/12/22 02:13:19 djm Exp $"); |
| 39 | 39 | ||
| 40 | #include "xmalloc.h" | 40 | #include "xmalloc.h" |
| 41 | #include "log.h" | 41 | #include "log.h" |