diff options
-rw-r--r-- | ChangeLog | 4 | ||||
-rw-r--r-- | UPGRADING | 8 | ||||
-rw-r--r-- | sshd.c | 19 |
3 files changed, 21 insertions, 10 deletions
@@ -3,6 +3,10 @@ | |||
3 | - Cleanup sshd.c PAM a little more | 3 | - Cleanup sshd.c PAM a little more |
4 | - Revised RPM package to include Jim Knoble's <jmknoble@pobox.com> | 4 | - Revised RPM package to include Jim Knoble's <jmknoble@pobox.com> |
5 | X11 ssh-askpass program. | 5 | X11 ssh-askpass program. |
6 | - Disable logging of PAM success and failures, PAM is verbose enough. | ||
7 | Unfortunatly there is currently no way to disable auth failure | ||
8 | messages. Mention this in UPGRADING file and sent message to PAM | ||
9 | developers | ||
6 | 10 | ||
7 | 19991225 | 11 | 19991225 |
8 | - More fixes from Andre Lucas <andre.lucas@dial.pipex.com> | 12 | - More fixes from Andre Lucas <andre.lucas@dial.pipex.com> |
@@ -45,3 +45,11 @@ rid yourself of these message, edit you known_hosts files and replace | |||
45 | the incorrect key length (usually "1024") with the correct key length | 45 | the incorrect key length (usually "1024") with the correct key length |
46 | (usually "1023"). | 46 | (usually "1023"). |
47 | 47 | ||
48 | 5. Spurious PAM authentication messages in logfiles | ||
49 | |||
50 | OpenSSH will generate spurious authentication failures at every login, | ||
51 | similar to "authentication failure; (uid=0) -> root for sshd service". | ||
52 | These are generated because OpenSSH first tries to determine whether a | ||
53 | user needs authentication to login (e.g. empty password). Unfortunatly | ||
54 | PAM likes to log all authentication events, this one included. | ||
55 | |||
@@ -11,7 +11,7 @@ | |||
11 | */ | 11 | */ |
12 | 12 | ||
13 | #include "includes.h" | 13 | #include "includes.h" |
14 | RCSID("$Id: sshd.c,v 1.42 1999/12/26 02:31:06 damien Exp $"); | 14 | RCSID("$Id: sshd.c,v 1.43 1999/12/26 03:04:33 damien Exp $"); |
15 | 15 | ||
16 | #ifdef HAVE_POLL_H | 16 | #ifdef HAVE_POLL_H |
17 | # include <poll.h> | 17 | # include <poll.h> |
@@ -146,7 +146,7 @@ void do_child(const char *command, struct passwd * pw, const char *term, | |||
146 | #ifdef HAVE_LIBPAM | 146 | #ifdef HAVE_LIBPAM |
147 | static int pamconv(int num_msg, const struct pam_message **msg, | 147 | static int pamconv(int num_msg, const struct pam_message **msg, |
148 | struct pam_response **resp, void *appdata_ptr); | 148 | struct pam_response **resp, void *appdata_ptr); |
149 | int do_pam_auth(const char *user, const char *password, int quiet); | 149 | int do_pam_auth(const char *user, const char *password); |
150 | void do_pam_account(char *username, char *remote_user); | 150 | void do_pam_account(char *username, char *remote_user); |
151 | void do_pam_session(char *username, char *ttyname); | 151 | void do_pam_session(char *username, char *ttyname); |
152 | void pam_cleanup_proc(void *context); | 152 | void pam_cleanup_proc(void *context); |
@@ -238,20 +238,19 @@ void pam_cleanup_proc(void *context) | |||
238 | } | 238 | } |
239 | } | 239 | } |
240 | 240 | ||
241 | int do_pam_auth(const char *user, const char *password, int quiet) | 241 | int do_pam_auth(const char *user, const char *password) |
242 | { | 242 | { |
243 | int pam_retval; | 243 | int pam_retval; |
244 | 244 | ||
245 | pampasswd = password; | 245 | pampasswd = password; |
246 | 246 | ||
247 | pam_retval = pam_authenticate((pam_handle_t *)pamh, quiet?PAM_SILENT:0); | 247 | pam_retval = pam_authenticate((pam_handle_t *)pamh, 0); |
248 | if (pam_retval == PAM_SUCCESS) { | 248 | if (pam_retval == PAM_SUCCESS) { |
249 | log("PAM Password authentication accepted for user \"%.100s\"", user); | 249 | debug("PAM Password authentication accepted for user \"%.100s\"", user); |
250 | return 1; | 250 | return 1; |
251 | } else { | 251 | } else { |
252 | if (!quiet) | 252 | debug("PAM Password authentication for \"%.100s\" failed: %s", |
253 | log("PAM Password authentication for \"%.100s\" failed: %s", | 253 | user, PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); |
254 | user, PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); | ||
255 | return 0; | 254 | return 0; |
256 | } | 255 | } |
257 | } | 256 | } |
@@ -1312,7 +1311,7 @@ do_authentication(char *user) | |||
1312 | (!options.kerberos_authentication || options.kerberos_or_local_passwd) && | 1311 | (!options.kerberos_authentication || options.kerberos_or_local_passwd) && |
1313 | #endif /* KRB4 */ | 1312 | #endif /* KRB4 */ |
1314 | #ifdef HAVE_LIBPAM | 1313 | #ifdef HAVE_LIBPAM |
1315 | do_pam_auth(pw->pw_name, "", 1)) { | 1314 | do_pam_auth(pw->pw_name, "")) { |
1316 | #else /* HAVE_LIBPAM */ | 1315 | #else /* HAVE_LIBPAM */ |
1317 | auth_password(pw, "")) { | 1316 | auth_password(pw, "")) { |
1318 | #endif /* HAVE_LIBPAM */ | 1317 | #endif /* HAVE_LIBPAM */ |
@@ -1523,7 +1522,7 @@ do_authloop(struct passwd * pw) | |||
1523 | 1522 | ||
1524 | #ifdef HAVE_LIBPAM | 1523 | #ifdef HAVE_LIBPAM |
1525 | /* Do PAM auth with password */ | 1524 | /* Do PAM auth with password */ |
1526 | authenticated = do_pam_auth(pw->pw_name, password, 0); | 1525 | authenticated = do_pam_auth(pw->pw_name, password); |
1527 | #else /* HAVE_LIBPAM */ | 1526 | #else /* HAVE_LIBPAM */ |
1528 | /* Try authentication with the password. */ | 1527 | /* Try authentication with the password. */ |
1529 | authenticated = auth_password(pw, password); | 1528 | authenticated = auth_password(pw, password); |