diff options
author | Darren Tucker <dtucker@zip.com.au> | 2005-01-20 13:27:56 +1100 |
---|---|---|
committer | Darren Tucker <dtucker@zip.com.au> | 2005-01-20 13:27:56 +1100 |
commit | d231186fd0acb8fee480faf61c4e9e4cc6186faf (patch) | |
tree | 8694e5e7b33ad54e28ef15369938755373423c02 /auth-pam.c | |
parent | 36a3d60347f23528695e550317d5ba6d63e6b0f4 (diff) |
- djm@cvs.openbsd.org 2004/12/22 02:13:19
[cipher-ctr.c cipher.c]
remove fallback AES support for old OpenSSL, as OpenBSD has had it for
many years now; ok deraadt@
(Id sync only: Portable will continue to support older OpenSSLs)
Diffstat (limited to 'auth-pam.c')
-rw-r--r-- | auth-pam.c | 26 |
1 files changed, 16 insertions, 10 deletions
diff --git a/auth-pam.c b/auth-pam.c index 996964fcd..5bffe338f 100644 --- a/auth-pam.c +++ b/auth-pam.c | |||
@@ -47,7 +47,7 @@ | |||
47 | 47 | ||
48 | /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ | 48 | /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ |
49 | #include "includes.h" | 49 | #include "includes.h" |
50 | RCSID("$Id: auth-pam.c,v 1.119 2005/01/20 01:43:39 dtucker Exp $"); | 50 | RCSID("$Id: auth-pam.c,v 1.120 2005/01/20 02:27:56 dtucker Exp $"); |
51 | 51 | ||
52 | #ifdef USE_PAM | 52 | #ifdef USE_PAM |
53 | #if defined(HAVE_SECURITY_PAM_APPL_H) | 53 | #if defined(HAVE_SECURITY_PAM_APPL_H) |
@@ -245,6 +245,17 @@ sshpam_password_change_required(int reqd) | |||
245 | } | 245 | } |
246 | } | 246 | } |
247 | 247 | ||
248 | /* Check ssh internal flags in addition to PAM */ | ||
249 | |||
250 | static int | ||
251 | sshpam_login_allowed(Authctxt *ctxt) | ||
252 | { | ||
253 | if (ctxt->valid && (ctxt->pw->pw_uid != 0 || | ||
254 | options.permit_root_login == PERMIT_YES)) | ||
255 | return 1; | ||
256 | return 0; | ||
257 | } | ||
258 | |||
248 | /* Import regular and PAM environment from subprocess */ | 259 | /* Import regular and PAM environment from subprocess */ |
249 | static void | 260 | static void |
250 | import_environments(Buffer *b) | 261 | import_environments(Buffer *b) |
@@ -702,9 +713,7 @@ sshpam_query(void *ctx, char **name, char **info, | |||
702 | **prompts = NULL; | 713 | **prompts = NULL; |
703 | } | 714 | } |
704 | if (type == PAM_SUCCESS) { | 715 | if (type == PAM_SUCCESS) { |
705 | if (!sshpam_authctxt->valid || | 716 | if (!sshpam_login_allowed(sshpam_authctxt)) |
706 | (sshpam_authctxt->pw->pw_uid == 0 && | ||
707 | options.permit_root_login != PERMIT_YES)) | ||
708 | fatal("Internal error: PAM auth " | 717 | fatal("Internal error: PAM auth " |
709 | "succeeded when it should have " | 718 | "succeeded when it should have " |
710 | "failed"); | 719 | "failed"); |
@@ -753,9 +762,7 @@ sshpam_respond(void *ctx, u_int num, char **resp) | |||
753 | return (-1); | 762 | return (-1); |
754 | } | 763 | } |
755 | buffer_init(&buffer); | 764 | buffer_init(&buffer); |
756 | if (sshpam_authctxt->valid && | 765 | if (sshpam_login_allowed(sshpam_authctxt)) |
757 | (sshpam_authctxt->pw->pw_uid != 0 || | ||
758 | options.permit_root_login == PERMIT_YES)) | ||
759 | buffer_put_cstring(&buffer, *resp); | 766 | buffer_put_cstring(&buffer, *resp); |
760 | else | 767 | else |
761 | buffer_put_cstring(&buffer, badpw); | 768 | buffer_put_cstring(&buffer, badpw); |
@@ -1118,8 +1125,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password) | |||
1118 | * by PermitRootLogin, use an invalid password to prevent leaking | 1125 | * by PermitRootLogin, use an invalid password to prevent leaking |
1119 | * information via timing (eg if the PAM config has a delay on fail). | 1126 | * information via timing (eg if the PAM config has a delay on fail). |
1120 | */ | 1127 | */ |
1121 | if (!authctxt->valid || (authctxt->pw->pw_uid == 0 && | 1128 | if (!sshpam_login_allowed(authctxt)) |
1122 | options.permit_root_login != PERMIT_YES)) | ||
1123 | sshpam_password = badpw; | 1129 | sshpam_password = badpw; |
1124 | 1130 | ||
1125 | sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, | 1131 | sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, |
@@ -1130,7 +1136,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password) | |||
1130 | 1136 | ||
1131 | sshpam_err = pam_authenticate(sshpam_handle, flags); | 1137 | sshpam_err = pam_authenticate(sshpam_handle, flags); |
1132 | sshpam_password = NULL; | 1138 | sshpam_password = NULL; |
1133 | if (sshpam_err == PAM_SUCCESS && authctxt->valid) { | 1139 | if (sshpam_err == PAM_SUCCESS && sshpam_login_allowed(authctxt)) { |
1134 | debug("PAM: password authentication accepted for %.100s", | 1140 | debug("PAM: password authentication accepted for %.100s", |
1135 | authctxt->user); | 1141 | authctxt->user); |
1136 | return 1; | 1142 | return 1; |