diff options
| -rw-r--r-- | ChangeLog | 7 | ||||
| -rw-r--r-- | auth-pam.c | 12 |
2 files changed, 16 insertions, 3 deletions
| @@ -1,6 +1,9 @@ | |||
| 1 | 20040530 | 1 | 20040530 |
| 2 | - (dtucker) [auth-pam.c auth-pam.h auth-passwd.c]: Bug #874: Re-add PAM | 2 | - (dtucker) [auth-pam.c auth-pam.h auth-passwd.c] Bug #874: Re-add PAM |
| 3 | support for PasswordAuthentication=yes. ok djm@ | 3 | support for PasswordAuthentication=yes. ok djm@ |
| 4 | - (dtucker) [auth-pam.c] Use an invalid password for root if | ||
| 5 | PermitRootLogin != yes or the login is invalid, to prevent leaking | ||
| 6 | information. Based on Openwall's owl-always-auth patch. ok djm@ | ||
| 4 | 7 | ||
| 5 | 20040527 | 8 | 20040527 |
| 6 | - (dtucker) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec | 9 | - (dtucker) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec |
| @@ -1167,4 +1170,4 @@ | |||
| 1167 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM | 1170 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM |
| 1168 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu | 1171 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu |
| 1169 | 1172 | ||
| 1170 | $Id: ChangeLog,v 1.3369 2004/05/30 10:43:59 dtucker Exp $ | 1173 | $Id: ChangeLog,v 1.3370 2004/05/30 12:04:56 dtucker Exp $ |
diff --git a/auth-pam.c b/auth-pam.c index 8de90a37a..b6fc49ee8 100644 --- a/auth-pam.c +++ b/auth-pam.c | |||
| @@ -31,7 +31,7 @@ | |||
| 31 | 31 | ||
| 32 | /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ | 32 | /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ |
| 33 | #include "includes.h" | 33 | #include "includes.h" |
| 34 | RCSID("$Id: auth-pam.c,v 1.103 2004/05/30 10:43:59 dtucker Exp $"); | 34 | RCSID("$Id: auth-pam.c,v 1.104 2004/05/30 12:04:56 dtucker Exp $"); |
| 35 | 35 | ||
| 36 | #ifdef USE_PAM | 36 | #ifdef USE_PAM |
| 37 | #if defined(HAVE_SECURITY_PAM_APPL_H) | 37 | #if defined(HAVE_SECURITY_PAM_APPL_H) |
| @@ -1021,6 +1021,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password) | |||
| 1021 | { | 1021 | { |
| 1022 | int flags = (options.permit_empty_passwd == 0 ? | 1022 | int flags = (options.permit_empty_passwd == 0 ? |
| 1023 | PAM_DISALLOW_NULL_AUTHTOK : 0); | 1023 | PAM_DISALLOW_NULL_AUTHTOK : 0); |
| 1024 | static char badpw[] = "\b\n\r\177INCORRECT"; | ||
| 1024 | 1025 | ||
| 1025 | if (!options.use_pam || sshpam_handle == NULL) | 1026 | if (!options.use_pam || sshpam_handle == NULL) |
| 1026 | fatal("PAM: %s called when PAM disabled or failed to " | 1027 | fatal("PAM: %s called when PAM disabled or failed to " |
| @@ -1029,6 +1030,15 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password) | |||
| 1029 | sshpam_password = password; | 1030 | sshpam_password = password; |
| 1030 | sshpam_authctxt = authctxt; | 1031 | sshpam_authctxt = authctxt; |
| 1031 | 1032 | ||
| 1033 | /* | ||
| 1034 | * If the user logging in is invalid, or is root but is not permitted | ||
| 1035 | * by PermitRootLogin, use an invalid password to prevent leaking | ||
| 1036 | * information via timing (eg if the PAM config has a delay on fail). | ||
| 1037 | */ | ||
| 1038 | if (!authctxt->valid || (authctxt->pw->pw_uid == 0 && | ||
| 1039 | options.permit_root_login != PERMIT_YES)) | ||
| 1040 | sshpam_password = badpw; | ||
| 1041 | |||
| 1032 | sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, | 1042 | sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, |
| 1033 | (const void *)&passwd_conv); | 1043 | (const void *)&passwd_conv); |
| 1034 | if (sshpam_err != PAM_SUCCESS) | 1044 | if (sshpam_err != PAM_SUCCESS) |