diff options
-rw-r--r-- | ChangeLog | 7 | ||||
-rw-r--r-- | auth-pam.c | 26 | ||||
-rw-r--r-- | cipher-ctr.c | 2 | ||||
-rw-r--r-- | cipher.c | 2 |
4 files changed, 24 insertions, 13 deletions
@@ -30,6 +30,11 @@ | |||
30 | behaviour for bsdauth is maintained by checking authctxt->valid in the | 30 | behaviour for bsdauth is maintained by checking authctxt->valid in the |
31 | bsdauth driver. Note that any third-party kbdint drivers will now need | 31 | bsdauth driver. Note that any third-party kbdint drivers will now need |
32 | to be able to handle responses for invalid logins. ok markus@ | 32 | to be able to handle responses for invalid logins. ok markus@ |
33 | - djm@cvs.openbsd.org 2004/12/22 02:13:19 | ||
34 | [cipher-ctr.c cipher.c] | ||
35 | remove fallback AES support for old OpenSSL, as OpenBSD has had it for | ||
36 | many years now; ok deraadt@ | ||
37 | (Id sync only: Portable will continue to support older OpenSSLs) | ||
33 | - (dtucker) [auth-pam.c] Bug #971: Prevent leaking information about user | 38 | - (dtucker) [auth-pam.c] Bug #971: Prevent leaking information about user |
34 | existence via keyboard-interactive/pam, in conjunction with previous | 39 | existence via keyboard-interactive/pam, in conjunction with previous |
35 | auth2-chall.c change; with Colin Watson and djm. | 40 | auth2-chall.c change; with Colin Watson and djm. |
@@ -2005,4 +2010,4 @@ | |||
2005 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM | 2010 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM |
2006 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu | 2011 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu |
2007 | 2012 | ||
2008 | $Id: ChangeLog,v 1.3617 2005/01/20 01:43:38 dtucker Exp $ | 2013 | $Id: ChangeLog,v 1.3618 2005/01/20 02:27:56 dtucker Exp $ |
diff --git a/auth-pam.c b/auth-pam.c index 996964fcd..5bffe338f 100644 --- a/auth-pam.c +++ b/auth-pam.c | |||
@@ -47,7 +47,7 @@ | |||
47 | 47 | ||
48 | /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ | 48 | /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ |
49 | #include "includes.h" | 49 | #include "includes.h" |
50 | RCSID("$Id: auth-pam.c,v 1.119 2005/01/20 01:43:39 dtucker Exp $"); | 50 | RCSID("$Id: auth-pam.c,v 1.120 2005/01/20 02:27:56 dtucker Exp $"); |
51 | 51 | ||
52 | #ifdef USE_PAM | 52 | #ifdef USE_PAM |
53 | #if defined(HAVE_SECURITY_PAM_APPL_H) | 53 | #if defined(HAVE_SECURITY_PAM_APPL_H) |
@@ -245,6 +245,17 @@ sshpam_password_change_required(int reqd) | |||
245 | } | 245 | } |
246 | } | 246 | } |
247 | 247 | ||
248 | /* Check ssh internal flags in addition to PAM */ | ||
249 | |||
250 | static int | ||
251 | sshpam_login_allowed(Authctxt *ctxt) | ||
252 | { | ||
253 | if (ctxt->valid && (ctxt->pw->pw_uid != 0 || | ||
254 | options.permit_root_login == PERMIT_YES)) | ||
255 | return 1; | ||
256 | return 0; | ||
257 | } | ||
258 | |||
248 | /* Import regular and PAM environment from subprocess */ | 259 | /* Import regular and PAM environment from subprocess */ |
249 | static void | 260 | static void |
250 | import_environments(Buffer *b) | 261 | import_environments(Buffer *b) |
@@ -702,9 +713,7 @@ sshpam_query(void *ctx, char **name, char **info, | |||
702 | **prompts = NULL; | 713 | **prompts = NULL; |
703 | } | 714 | } |
704 | if (type == PAM_SUCCESS) { | 715 | if (type == PAM_SUCCESS) { |
705 | if (!sshpam_authctxt->valid || | 716 | if (!sshpam_login_allowed(sshpam_authctxt)) |
706 | (sshpam_authctxt->pw->pw_uid == 0 && | ||
707 | options.permit_root_login != PERMIT_YES)) | ||
708 | fatal("Internal error: PAM auth " | 717 | fatal("Internal error: PAM auth " |
709 | "succeeded when it should have " | 718 | "succeeded when it should have " |
710 | "failed"); | 719 | "failed"); |
@@ -753,9 +762,7 @@ sshpam_respond(void *ctx, u_int num, char **resp) | |||
753 | return (-1); | 762 | return (-1); |
754 | } | 763 | } |
755 | buffer_init(&buffer); | 764 | buffer_init(&buffer); |
756 | if (sshpam_authctxt->valid && | 765 | if (sshpam_login_allowed(sshpam_authctxt)) |
757 | (sshpam_authctxt->pw->pw_uid != 0 || | ||
758 | options.permit_root_login == PERMIT_YES)) | ||
759 | buffer_put_cstring(&buffer, *resp); | 766 | buffer_put_cstring(&buffer, *resp); |
760 | else | 767 | else |
761 | buffer_put_cstring(&buffer, badpw); | 768 | buffer_put_cstring(&buffer, badpw); |
@@ -1118,8 +1125,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password) | |||
1118 | * by PermitRootLogin, use an invalid password to prevent leaking | 1125 | * by PermitRootLogin, use an invalid password to prevent leaking |
1119 | * information via timing (eg if the PAM config has a delay on fail). | 1126 | * information via timing (eg if the PAM config has a delay on fail). |
1120 | */ | 1127 | */ |
1121 | if (!authctxt->valid || (authctxt->pw->pw_uid == 0 && | 1128 | if (!sshpam_login_allowed(authctxt)) |
1122 | options.permit_root_login != PERMIT_YES)) | ||
1123 | sshpam_password = badpw; | 1129 | sshpam_password = badpw; |
1124 | 1130 | ||
1125 | sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, | 1131 | sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, |
@@ -1130,7 +1136,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password) | |||
1130 | 1136 | ||
1131 | sshpam_err = pam_authenticate(sshpam_handle, flags); | 1137 | sshpam_err = pam_authenticate(sshpam_handle, flags); |
1132 | sshpam_password = NULL; | 1138 | sshpam_password = NULL; |
1133 | if (sshpam_err == PAM_SUCCESS && authctxt->valid) { | 1139 | if (sshpam_err == PAM_SUCCESS && sshpam_login_allowed(authctxt)) { |
1134 | debug("PAM: password authentication accepted for %.100s", | 1140 | debug("PAM: password authentication accepted for %.100s", |
1135 | authctxt->user); | 1141 | authctxt->user); |
1136 | return 1; | 1142 | return 1; |
diff --git a/cipher-ctr.c b/cipher-ctr.c index 395dabedd..43f1ede57 100644 --- a/cipher-ctr.c +++ b/cipher-ctr.c | |||
@@ -14,7 +14,7 @@ | |||
14 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | 14 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
15 | */ | 15 | */ |
16 | #include "includes.h" | 16 | #include "includes.h" |
17 | RCSID("$OpenBSD: cipher-ctr.c,v 1.4 2004/02/06 23:41:13 dtucker Exp $"); | 17 | RCSID("$OpenBSD: cipher-ctr.c,v 1.5 2004/12/22 02:13:19 djm Exp $"); |
18 | 18 | ||
19 | #include <openssl/evp.h> | 19 | #include <openssl/evp.h> |
20 | 20 | ||
@@ -35,7 +35,7 @@ | |||
35 | */ | 35 | */ |
36 | 36 | ||
37 | #include "includes.h" | 37 | #include "includes.h" |
38 | RCSID("$OpenBSD: cipher.c,v 1.71 2004/07/28 09:40:29 markus Exp $"); | 38 | RCSID("$OpenBSD: cipher.c,v 1.72 2004/12/22 02:13:19 djm Exp $"); |
39 | 39 | ||
40 | #include "xmalloc.h" | 40 | #include "xmalloc.h" |
41 | #include "log.h" | 41 | #include "log.h" |