- djm@cvs.openbsd.org 2004/12/22 02:13:19

[cipher-ctr.c cipher.c] remove fallback AES support for old OpenSSL, as OpenBSD has had it for many years now; ok deraadt@ (Id sync only: Portable will continue to support older OpenSSLs)
author: Darren Tucker <dtucker@zip.com.au> 2005-01-20 13:27:56 +1100
committer: Darren Tucker <dtucker@zip.com.au> 2005-01-20 13:27:56 +1100
commit: d231186fd0acb8fee480faf61c4e9e4cc6186faf (patch)
tree: 8694e5e7b33ad54e28ef15369938755373423c02 /auth-pam.c
parent: 36a3d60347f23528695e550317d5ba6d63e6b0f4 (diff)
1 files changed, 16 insertions, 10 deletions
diff --git a/auth-pam.c b/auth-pam.c
index 996964fcd..5bffe338f 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -47,7 +47,7 @@
 /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
 #include "includes.h"
-RCSID("$Id: auth-pam.c,v 1.119 2005/01/20 01:43:39 dtucker Exp $");
+RCSID("$Id: auth-pam.c,v 1.120 2005/01/20 02:27:56 dtucker Exp $");
 #ifdef USE_PAM
 #if defined(HAVE_SECURITY_PAM_APPL_H)
@@ -245,6 +245,17 @@ sshpam_password_change_required(int reqd)
        }
 }
+/* Check ssh internal flags in addition to PAM */
+static int
+sshpam_login_allowed(Authctxt *ctxt)
+{
+        if (ctxt->valid && (ctxt->pw->pw_uid != 0 ||
+            options.permit_root_login == PERMIT_YES))
+                return 1;
+        return 0;
+}
 /* Import regular and PAM environment from subprocess */
 static void
 import_environments(Buffer *b)
@@ -702,9 +713,7 @@ sshpam_query(void *ctx, char **name, char **info,
                                **prompts = NULL;
                        }
                        if (type == PAM_SUCCESS) {
-                                if (!sshpam_authctxt->valid ||
+                                if (!sshpam_login_allowed(sshpam_authctxt))
-                                    (sshpam_authctxt->pw->pw_uid == 0 &&
-                                    options.permit_root_login != PERMIT_YES))
                                        fatal("Internal error: PAM auth "
                                            "succeeded when it should have "
                                            "failed");
@@ -753,9 +762,7 @@ sshpam_respond(void *ctx, u_int num, char **resp)
                return (-1);
        }
        buffer_init(&buffer);
-        if (sshpam_authctxt->valid &&
+        if (sshpam_login_allowed(sshpam_authctxt))
-            (sshpam_authctxt->pw->pw_uid != 0 ||
-             options.permit_root_login == PERMIT_YES))
                buffer_put_cstring(&buffer, *resp);
        else
                buffer_put_cstring(&buffer, badpw);
@@ -1118,8 +1125,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
         * by PermitRootLogin, use an invalid password to prevent leaking
         * information via timing (eg if the PAM config has a delay on fail).
         */
-        if (!authctxt->valid || (authctxt->pw->pw_uid == 0 &&
+        if (!sshpam_login_allowed(authctxt))
-             options.permit_root_login != PERMIT_YES))
                sshpam_password = badpw;
        sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
@@ -1130,7 +1136,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
        sshpam_err = pam_authenticate(sshpam_handle, flags);
        sshpam_password = NULL;
-        if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
+        if (sshpam_err == PAM_SUCCESS && sshpam_login_allowed(authctxt)) {
                debug("PAM: password authentication accepted for %.100s",
                    authctxt->user);
               return 1;
author	Darren Tucker <dtucker@zip.com.au>	2005-01-20 13:27:56 +1100
committer	Darren Tucker <dtucker@zip.com.au>	2005-01-20 13:27:56 +1100
commit	d231186fd0acb8fee480faf61c4e9e4cc6186faf (patch)
tree	8694e5e7b33ad54e28ef15369938755373423c02 /auth-pam.c
parent	36a3d60347f23528695e550317d5ba6d63e6b0f4 (diff)