diff options
Diffstat (limited to 'auth-pam.c')
-rw-r--r-- | auth-pam.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/auth-pam.c b/auth-pam.c index 8de90a37a..b6fc49ee8 100644 --- a/auth-pam.c +++ b/auth-pam.c | |||
@@ -31,7 +31,7 @@ | |||
31 | 31 | ||
32 | /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ | 32 | /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ |
33 | #include "includes.h" | 33 | #include "includes.h" |
34 | RCSID("$Id: auth-pam.c,v 1.103 2004/05/30 10:43:59 dtucker Exp $"); | 34 | RCSID("$Id: auth-pam.c,v 1.104 2004/05/30 12:04:56 dtucker Exp $"); |
35 | 35 | ||
36 | #ifdef USE_PAM | 36 | #ifdef USE_PAM |
37 | #if defined(HAVE_SECURITY_PAM_APPL_H) | 37 | #if defined(HAVE_SECURITY_PAM_APPL_H) |
@@ -1021,6 +1021,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password) | |||
1021 | { | 1021 | { |
1022 | int flags = (options.permit_empty_passwd == 0 ? | 1022 | int flags = (options.permit_empty_passwd == 0 ? |
1023 | PAM_DISALLOW_NULL_AUTHTOK : 0); | 1023 | PAM_DISALLOW_NULL_AUTHTOK : 0); |
1024 | static char badpw[] = "\b\n\r\177INCORRECT"; | ||
1024 | 1025 | ||
1025 | if (!options.use_pam || sshpam_handle == NULL) | 1026 | if (!options.use_pam || sshpam_handle == NULL) |
1026 | fatal("PAM: %s called when PAM disabled or failed to " | 1027 | fatal("PAM: %s called when PAM disabled or failed to " |
@@ -1029,6 +1030,15 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password) | |||
1029 | sshpam_password = password; | 1030 | sshpam_password = password; |
1030 | sshpam_authctxt = authctxt; | 1031 | sshpam_authctxt = authctxt; |
1031 | 1032 | ||
1033 | /* | ||
1034 | * If the user logging in is invalid, or is root but is not permitted | ||
1035 | * by PermitRootLogin, use an invalid password to prevent leaking | ||
1036 | * information via timing (eg if the PAM config has a delay on fail). | ||
1037 | */ | ||
1038 | if (!authctxt->valid || (authctxt->pw->pw_uid == 0 && | ||
1039 | options.permit_root_login != PERMIT_YES)) | ||
1040 | sshpam_password = badpw; | ||
1041 | |||
1032 | sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, | 1042 | sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, |
1033 | (const void *)&passwd_conv); | 1043 | (const void *)&passwd_conv); |
1034 | if (sshpam_err != PAM_SUCCESS) | 1044 | if (sshpam_err != PAM_SUCCESS) |