diff options
| -rw-r--r-- | auth-pam.c | 6 | ||||
| -rw-r--r-- | auth2-chall.c | 11 | ||||
| -rw-r--r-- | debian/changelog | 3 |
3 files changed, 12 insertions, 8 deletions
diff --git a/auth-pam.c b/auth-pam.c index 701d85b64..ec3b74951 100644 --- a/auth-pam.c +++ b/auth-pam.c | |||
| @@ -169,6 +169,7 @@ static int sshpam_cred_established = 0; | |||
| 169 | static int sshpam_account_status = -1; | 169 | static int sshpam_account_status = -1; |
| 170 | static char **sshpam_env = NULL; | 170 | static char **sshpam_env = NULL; |
| 171 | static Authctxt *sshpam_authctxt = NULL; | 171 | static Authctxt *sshpam_authctxt = NULL; |
| 172 | static char badpw[] = "\b\n\r\177INCORRECT"; | ||
| 172 | 173 | ||
| 173 | /* Some PAM implementations don't implement this */ | 174 | /* Some PAM implementations don't implement this */ |
| 174 | #ifndef HAVE_PAM_GETENVLIST | 175 | #ifndef HAVE_PAM_GETENVLIST |
| @@ -644,7 +645,10 @@ sshpam_respond(void *ctx, u_int num, char **resp) | |||
| 644 | return (-1); | 645 | return (-1); |
| 645 | } | 646 | } |
| 646 | buffer_init(&buffer); | 647 | buffer_init(&buffer); |
| 647 | buffer_put_cstring(&buffer, *resp); | 648 | if (sshpam_authctxt->valid) |
| 649 | buffer_put_cstring(&buffer, *resp); | ||
| 650 | else | ||
| 651 | buffer_put_cstring(&buffer, badpw); | ||
| 648 | if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) { | 652 | if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) { |
| 649 | buffer_free(&buffer); | 653 | buffer_free(&buffer); |
| 650 | return (-1); | 654 | return (-1); |
diff --git a/auth2-chall.c b/auth2-chall.c index aacbf0bcc..0f08b05c6 100644 --- a/auth2-chall.c +++ b/auth2-chall.c | |||
| @@ -275,12 +275,9 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt) | |||
| 275 | } | 275 | } |
| 276 | packet_check_eom(); | 276 | packet_check_eom(); |
| 277 | 277 | ||
| 278 | if (authctxt->valid) { | 278 | res = kbdintctxt->device->respond(kbdintctxt->ctxt, nresp, response); |
| 279 | res = kbdintctxt->device->respond(kbdintctxt->ctxt, | 279 | if (!authctxt->valid) |
| 280 | nresp, response); | 280 | res = 1; /* keep going if login invalid */ |
| 281 | } else { | ||
| 282 | res = -1; | ||
| 283 | } | ||
| 284 | 281 | ||
| 285 | for (i = 0; i < nresp; i++) { | 282 | for (i = 0; i < nresp; i++) { |
| 286 | memset(response[i], 'r', strlen(response[i])); | 283 | memset(response[i], 'r', strlen(response[i])); |
| @@ -292,7 +289,7 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt) | |||
| 292 | switch (res) { | 289 | switch (res) { |
| 293 | case 0: | 290 | case 0: |
| 294 | /* Success! */ | 291 | /* Success! */ |
| 295 | authenticated = 1; | 292 | authenticated = authctxt->valid ? 1 : 0; |
| 296 | break; | 293 | break; |
| 297 | case 1: | 294 | case 1: |
| 298 | /* Authentication needs further interaction */ | 295 | /* Authentication needs further interaction */ |
diff --git a/debian/changelog b/debian/changelog index 19840ae9b..81e80f639 100644 --- a/debian/changelog +++ b/debian/changelog | |||
| @@ -1,6 +1,9 @@ | |||
| 1 | openssh (1:3.8.1p1-14) UNRELEASED; urgency=low | 1 | openssh (1:3.8.1p1-14) UNRELEASED; urgency=low |
| 2 | 2 | ||
| 3 | * We use DH_COMPAT=2, so build-depend on debhelper (>= 2). | 3 | * We use DH_COMPAT=2, so build-depend on debhelper (>= 2). |
| 4 | * Fix timing information leak allowing discovery of invalid usernames in | ||
| 5 | PAM keyboard-interactive authentication (backported from a patch by | ||
| 6 | Darren Tucker; closes: #281595). | ||
| 4 | 7 | ||
| 5 | -- Colin Watson <cjwatson@debian.org> Sun, 28 Nov 2004 17:52:23 +0000 | 8 | -- Colin Watson <cjwatson@debian.org> Sun, 28 Nov 2004 17:52:23 +0000 |
| 6 | 9 | ||