diff options
| -rw-r--r-- | auth-passwd.c | 8 | ||||
| -rw-r--r-- | auth1.c | 2 | ||||
| -rw-r--r-- | auth2-none.c | 2 | ||||
| -rw-r--r-- | debian/changelog | 5 |
4 files changed, 15 insertions, 2 deletions
diff --git a/auth-passwd.c b/auth-passwd.c index 62ea3a52d..2307c1e5e 100644 --- a/auth-passwd.c +++ b/auth-passwd.c | |||
| @@ -125,6 +125,14 @@ auth_password(Authctxt *authctxt, const char *password) | |||
| 125 | ok = 0; | 125 | ok = 0; |
| 126 | 126 | ||
| 127 | #if defined(USE_PAM) | 127 | #if defined(USE_PAM) |
| 128 | /* | ||
| 129 | * If the user logging in is root and RootLogin=no, always attempt | ||
| 130 | * an invalid root login to prevent leaking timing information | ||
| 131 | */ | ||
| 132 | if (pw && pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) { | ||
| 133 | auth_pam_password(authctxt, "\b\n\r\177INCORRECT"); | ||
| 134 | return 0; | ||
| 135 | } | ||
| 128 | return auth_pam_password(authctxt, password) && ok; | 136 | return auth_pam_password(authctxt, password) && ok; |
| 129 | #elif defined(HAVE_OSF_SIA) | 137 | #elif defined(HAVE_OSF_SIA) |
| 130 | if (!ok) | 138 | if (!ok) |
| @@ -80,7 +80,7 @@ do_authloop(Authctxt *authctxt) | |||
| 80 | authctxt->valid ? "" : "illegal user ", authctxt->user); | 80 | authctxt->valid ? "" : "illegal user ", authctxt->user); |
| 81 | 81 | ||
| 82 | /* If the user has no password, accept authentication immediately. */ | 82 | /* If the user has no password, accept authentication immediately. */ |
| 83 | if (options.password_authentication && | 83 | if (options.password_authentication && options.permit_empty_passwd && |
| 84 | #if defined(KRB4) || defined(KRB5) | 84 | #if defined(KRB4) || defined(KRB5) |
| 85 | (!options.kerberos_authentication || options.kerberos_or_local_passwd) && | 85 | (!options.kerberos_authentication || options.kerberos_or_local_passwd) && |
| 86 | #endif | 86 | #endif |
diff --git a/auth2-none.c b/auth2-none.c index 692a2961f..46a4c617e 100644 --- a/auth2-none.c +++ b/auth2-none.c | |||
| @@ -100,6 +100,8 @@ userauth_none(Authctxt *authctxt) | |||
| 100 | if (check_nt_auth(1, authctxt->pw) == 0) | 100 | if (check_nt_auth(1, authctxt->pw) == 0) |
| 101 | return(0); | 101 | return(0); |
| 102 | #endif | 102 | #endif |
| 103 | if (options.permit_empty_passwd == 0) | ||
| 104 | return 0; | ||
| 103 | return PRIVSEP(auth_password(authctxt, "")) && authctxt->valid; | 105 | return PRIVSEP(auth_password(authctxt, "")) && authctxt->valid; |
| 104 | } | 106 | } |
| 105 | 107 | ||
diff --git a/debian/changelog b/debian/changelog index b691f4231..7c0c9b952 100644 --- a/debian/changelog +++ b/debian/changelog | |||
| @@ -1,10 +1,13 @@ | |||
| 1 | openssh (1:3.6.1p2-6) UNRELEASED; urgency=low | 1 | openssh (1:3.6.1p2-6) UNRELEASED; urgency=medium |
| 2 | 2 | ||
| 3 | * Use a more CVS-friendly means of setting SSH_VERSION. | 3 | * Use a more CVS-friendly means of setting SSH_VERSION. |
| 4 | * Update Brazilian Portuguese debconf template translation (thanks, Andre | 4 | * Update Brazilian Portuguese debconf template translation (thanks, Andre |
| 5 | Luis Lopes; closes: #208036). | 5 | Luis Lopes; closes: #208036). |
| 6 | * Don't run 'sshd -t' in init script if the server isn't to be run | 6 | * Don't run 'sshd -t' in init script if the server isn't to be run |
| 7 | (closes: #197576). | 7 | (closes: #197576). |
| 8 | * Fix login delay, spurious auth.log entry, and PermitRootLogin | ||
| 9 | information leakage due to PAM issues with upstream's recent security | ||
| 10 | update (thanks, Darren Tucker; closes: #99168, #192207, #193546). | ||
| 8 | * Policy version 3.6.1: recode this changelog to UTF-8. | 11 | * Policy version 3.6.1: recode this changelog to UTF-8. |
| 9 | 12 | ||
| 10 | -- Colin Watson <cjwatson@debian.org> Mon, 1 Sep 2003 23:56:57 +0100 | 13 | -- Colin Watson <cjwatson@debian.org> Mon, 1 Sep 2003 23:56:57 +0100 |