summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog5
-rw-r--r--auth-pam.c17
2 files changed, 18 insertions, 4 deletions
diff --git a/ChangeLog b/ChangeLog
index cef110384..19101efd6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -30,6 +30,9 @@
30 behaviour for bsdauth is maintained by checking authctxt->valid in the 30 behaviour for bsdauth is maintained by checking authctxt->valid in the
31 bsdauth driver. Note that any third-party kbdint drivers will now need 31 bsdauth driver. Note that any third-party kbdint drivers will now need
32 to be able to handle responses for invalid logins. ok markus@ 32 to be able to handle responses for invalid logins. ok markus@
33 - (dtucker) [auth-pam.c] Bug #971: Prevent leaking information about user
34 existence via keyboard-interactive/pam, in conjunction with previous
35 auth2-chall.c change; with Colin Watson and djm.
33 36
3420050118 3720050118
35 - (dtucker) [INSTALL Makefile.in configure.ac survey.sh.in] Implement 38 - (dtucker) [INSTALL Makefile.in configure.ac survey.sh.in] Implement
@@ -2002,4 +2005,4 @@
2002 - (djm) Trim deprecated options from INSTALL. Mention UsePAM 2005 - (djm) Trim deprecated options from INSTALL. Mention UsePAM
2003 - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu 2006 - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
2004 2007
2005$Id: ChangeLog,v 1.3616 2005/01/20 00:05:34 dtucker Exp $ 2008$Id: ChangeLog,v 1.3617 2005/01/20 01:43:38 dtucker Exp $
diff --git a/auth-pam.c b/auth-pam.c
index a1b26cc59..996964fcd 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -47,7 +47,7 @@
47 47
48/* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ 48/* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
49#include "includes.h" 49#include "includes.h"
50RCSID("$Id: auth-pam.c,v 1.118 2004/10/16 08:52:44 djm Exp $"); 50RCSID("$Id: auth-pam.c,v 1.119 2005/01/20 01:43:39 dtucker Exp $");
51 51
52#ifdef USE_PAM 52#ifdef USE_PAM
53#if defined(HAVE_SECURITY_PAM_APPL_H) 53#if defined(HAVE_SECURITY_PAM_APPL_H)
@@ -186,6 +186,7 @@ static int sshpam_account_status = -1;
186static char **sshpam_env = NULL; 186static char **sshpam_env = NULL;
187static Authctxt *sshpam_authctxt = NULL; 187static Authctxt *sshpam_authctxt = NULL;
188static const char *sshpam_password = NULL; 188static const char *sshpam_password = NULL;
189static char badpw[] = "\b\n\r\177INCORRECT";
189 190
190/* Some PAM implementations don't implement this */ 191/* Some PAM implementations don't implement this */
191#ifndef HAVE_PAM_GETENVLIST 192#ifndef HAVE_PAM_GETENVLIST
@@ -701,6 +702,12 @@ sshpam_query(void *ctx, char **name, char **info,
701 **prompts = NULL; 702 **prompts = NULL;
702 } 703 }
703 if (type == PAM_SUCCESS) { 704 if (type == PAM_SUCCESS) {
705 if (!sshpam_authctxt->valid ||
706 (sshpam_authctxt->pw->pw_uid == 0 &&
707 options.permit_root_login != PERMIT_YES))
708 fatal("Internal error: PAM auth "
709 "succeeded when it should have "
710 "failed");
704 import_environments(&buffer); 711 import_environments(&buffer);
705 *num = 0; 712 *num = 0;
706 **echo_on = 0; 713 **echo_on = 0;
@@ -746,7 +753,12 @@ sshpam_respond(void *ctx, u_int num, char **resp)
746 return (-1); 753 return (-1);
747 } 754 }
748 buffer_init(&buffer); 755 buffer_init(&buffer);
749 buffer_put_cstring(&buffer, *resp); 756 if (sshpam_authctxt->valid &&
757 (sshpam_authctxt->pw->pw_uid != 0 ||
758 options.permit_root_login == PERMIT_YES))
759 buffer_put_cstring(&buffer, *resp);
760 else
761 buffer_put_cstring(&buffer, badpw);
750 if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) { 762 if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) {
751 buffer_free(&buffer); 763 buffer_free(&buffer);
752 return (-1); 764 return (-1);
@@ -1093,7 +1105,6 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
1093{ 1105{
1094 int flags = (options.permit_empty_passwd == 0 ? 1106 int flags = (options.permit_empty_passwd == 0 ?
1095 PAM_DISALLOW_NULL_AUTHTOK : 0); 1107 PAM_DISALLOW_NULL_AUTHTOK : 0);
1096 static char badpw[] = "\b\n\r\177INCORRECT";
1097 1108
1098 if (!options.use_pam || sshpam_handle == NULL) 1109 if (!options.use_pam || sshpam_handle == NULL)
1099 fatal("PAM: %s called when PAM disabled or failed to " 1110 fatal("PAM: %s called when PAM disabled or failed to "