1 files changed, 8 insertions, 0 deletions
diff --git a/auth-passwd.c b/auth-passwd.c
index 62ea3a52d..2307c1e5e 100644
--- a/auth-passwd.c
+++ b/auth-passwd.c
@@ -125,6 +125,14 @@ auth_password(Authctxt *authctxt, const char *password)
                ok = 0;
 #if defined(USE_PAM)
+        /*
+         * If the user logging in is root and RootLogin=no, always attempt
+         * an invalid root login to prevent leaking timing information
+         */
+        if (pw && pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) {
+                auth_pam_password(authctxt, "\b\n\r\177INCORRECT");
+                return 0;
+        }
        return auth_pam_password(authctxt, password) && ok;
 #elif defined(HAVE_OSF_SIA)
        if (!ok)

diff --git a/auth-passwd.c b/auth-passwd.c index 62ea3a52d..2307c1e5e 100644 --- a/auth-passwd.c +++ b/auth-passwd.c
@@ -125,6 +125,14 @@ auth_password(Authctxt authctxt, const char password)
125	ok = 0;	125	ok = 0;
126		126
127	#if defined(USE_PAM)	127	#if defined(USE_PAM)
		128	/*
		129	* If the user logging in is root and RootLogin=no, always attempt
		130	* an invalid root login to prevent leaking timing information
		131	*/
		132	if (pw && pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) {
		133	auth_pam_password(authctxt, "\b\n\r\177INCORRECT");
		134	return 0;
		135	}
128	return auth_pam_password(authctxt, password) && ok;	136	return auth_pam_password(authctxt, password) && ok;
129	#elif defined(HAVE_OSF_SIA)	137	#elif defined(HAVE_OSF_SIA)
130	if (!ok)	138	if (!ok)