summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog7
-rw-r--r--auth-pam.c12
2 files changed, 16 insertions, 3 deletions
diff --git a/ChangeLog b/ChangeLog
index f3f2fc350..6782c0f2a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,9 @@
120040530 120040530
2 - (dtucker) [auth-pam.c auth-pam.h auth-passwd.c]: Bug #874: Re-add PAM 2 - (dtucker) [auth-pam.c auth-pam.h auth-passwd.c] Bug #874: Re-add PAM
3 support for PasswordAuthentication=yes. ok djm@ 3 support for PasswordAuthentication=yes. ok djm@
4 - (dtucker) [auth-pam.c] Use an invalid password for root if
5 PermitRootLogin != yes or the login is invalid, to prevent leaking
6 information. Based on Openwall's owl-always-auth patch. ok djm@
4 7
520040527 820040527
6 - (dtucker) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec 9 - (dtucker) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec
@@ -1167,4 +1170,4 @@
1167 - (djm) Trim deprecated options from INSTALL. Mention UsePAM 1170 - (djm) Trim deprecated options from INSTALL. Mention UsePAM
1168 - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu 1171 - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
1169 1172
1170$Id: ChangeLog,v 1.3369 2004/05/30 10:43:59 dtucker Exp $ 1173$Id: ChangeLog,v 1.3370 2004/05/30 12:04:56 dtucker Exp $
diff --git a/auth-pam.c b/auth-pam.c
index 8de90a37a..b6fc49ee8 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -31,7 +31,7 @@
31 31
32/* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ 32/* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
33#include "includes.h" 33#include "includes.h"
34RCSID("$Id: auth-pam.c,v 1.103 2004/05/30 10:43:59 dtucker Exp $"); 34RCSID("$Id: auth-pam.c,v 1.104 2004/05/30 12:04:56 dtucker Exp $");
35 35
36#ifdef USE_PAM 36#ifdef USE_PAM
37#if defined(HAVE_SECURITY_PAM_APPL_H) 37#if defined(HAVE_SECURITY_PAM_APPL_H)
@@ -1021,6 +1021,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
1021{ 1021{
1022 int flags = (options.permit_empty_passwd == 0 ? 1022 int flags = (options.permit_empty_passwd == 0 ?
1023 PAM_DISALLOW_NULL_AUTHTOK : 0); 1023 PAM_DISALLOW_NULL_AUTHTOK : 0);
1024 static char badpw[] = "\b\n\r\177INCORRECT";
1024 1025
1025 if (!options.use_pam || sshpam_handle == NULL) 1026 if (!options.use_pam || sshpam_handle == NULL)
1026 fatal("PAM: %s called when PAM disabled or failed to " 1027 fatal("PAM: %s called when PAM disabled or failed to "
@@ -1029,6 +1030,15 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
1029 sshpam_password = password; 1030 sshpam_password = password;
1030 sshpam_authctxt = authctxt; 1031 sshpam_authctxt = authctxt;
1031 1032
1033 /*
1034 * If the user logging in is invalid, or is root but is not permitted
1035 * by PermitRootLogin, use an invalid password to prevent leaking
1036 * information via timing (eg if the PAM config has a delay on fail).
1037 */
1038 if (!authctxt->valid || (authctxt->pw->pw_uid == 0 &&
1039 options.permit_root_login != PERMIT_YES))
1040 sshpam_password = badpw;
1041
1032 sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, 1042 sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
1033 (const void *)&passwd_conv); 1043 (const void *)&passwd_conv);
1034 if (sshpam_err != PAM_SUCCESS) 1044 if (sshpam_err != PAM_SUCCESS)