summaryrefslogtreecommitdiff
path: root/auth-pam.c
AgeCommit message (Collapse)Author
2016-07-18Handle PAM_MAXTRIES from modules.Darren Tucker
bz#2249: handle the case where PAM returns PAM_MAXTRIES by ceasing to offer password and keyboard-interative authentication methods. Should prevent "sshd ignoring max retries" warnings in the log. ok djm@ It probably won't trigger with keyboard-interactive in the default configuration because the retry counter is stored in module-private storage which goes away with the sshd PAM process (see bz#688). On the other hand, those cases probably won't log a warning either.
2016-07-15Mitigate timing of disallowed users PAM logins.Darren Tucker
When sshd decides to not allow a login (eg PermitRootLogin=no) and it's using PAM, it sends a fake password to PAM so that the timing for the failure is not noticeably different whether or not the password is correct. This behaviour can be detected by sending a very long password string which is slower to hash than the fake password. Mitigate by constructing an invalid password that is the same length as the one from the client and thus takes the same time to hash. Diff from djm@
2016-06-17Remove duplicate code from PAM. ok djm@Darren Tucker
2016-05-20Fix comment about sshpam_const and AIX.Darren Tucker
From mschwager via github.
2016-03-08unbreak PAM after canohost refactorDamien Miller
2016-02-05avoid FreeBSD RCS Id in commentDamien Miller
Change old $FreeBSD version string in comment so it doesn't become an RCS ident downstream; requested by des AT des.no
2015-04-30xrealloc -> xreallocarray in portable code too.Darren Tucker
2013-12-19 - (dtucker) [auth-pam.c] bz#2163: check return value from pam_get_item().Darren Tucker
Patch from Loganaden Velvindron.
2013-06-02 - (dtucker) [M auth-chall.c auth-krb5.c auth-pam.c cipher-aes.c cipher-ctr.cDarren Tucker
groupaccess.c loginrec.c monitor.c monitor_wrap.c session.c sshd.c sshlogin.c uidswap.c openbsd-compat/bsd-cygwin_util.c openbsd-compat/getrrsetbyname-ldns.c openbsd-compat/port-aix.c openbsd-compat/port-linux.c] Replace portable-specific instances of xfree with the equivalent calls to free.
2009-07-12 - (dtucker) [auth-pam.c] Bug #1534: move the deletion of PAM credentials onDarren Tucker
logout to after the session close. Patch from Anicka Bernathova, ok djm.
2008-03-11 - (dtucker) [auth-pam.c monitor.c session.c sshd.c] Bug #926: MoveDarren Tucker
pam_open_session and pam_close_session into the privsep monitor, which will ensure that pam_session_close is called as root. Patch from Tomas Mraz.
2007-08-10 - (dtucker) [auth-pam.c] Use sigdie here too. ok djm@Darren Tucker
2007-05-20 - (dtucker) [auth-pam.c] Return empty string if fgets fails inDarren Tucker
sshpam_tty_conv. Patch from ldv at altlinux.org.
2007-05-20 - (dtucker) [auth-pam.c] malloc+memset -> calloc. Patch fromDarren Tucker
ldv at altlinux.org.
2006-09-17 - (dtucker) [auth-pam.c] Propogate TZ environment variable to PAM authDarren Tucker
process so that any logging it does is with the right timezone. From Scott Strickler, ok djm@.
2006-09-01 - (djm) [audit-bsm.c audit.c auth-bsdauth.c auth-chall.c auth-pam.c]Damien Miller
[auth-rsa.c auth-shadow.c auth-sia.c auth1.c auth2-chall.c] [auth2-gss.c auth2-kbdint.c auth2-none.c authfd.c authfile.c] [cipher-3des1.c cipher-aes.c cipher-bf1.c cipher-ctr.c clientloop.c] [dh.c dns.c entropy.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c] [kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c loginrec.c mac.c] [md5crypt.c monitor.c monitor_wrap.c readconf.c rsa.c] [scard-opensc.c scard.c session.c ssh-add.c ssh-agent.c ssh-dss.c] [ssh-keygen.c ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c] [sshconnect1.c sshconnect2.c sshd.c rc4.diff] [openbsd-compat/bsd-cray.c openbsd-compat/port-aix.c] [openbsd-compat/port-linux.c openbsd-compat/port-solaris.c] [openbsd-compat/port-uw.c] Lots of headers for SCO OSR6, mainly adding stdarg.h for log.h; compile problems reported by rac AT tenzing.org
2006-08-05 - (djm) [auth-pam.c auth-shadow.c auth2-none.c cleanup.c sshd.c]Damien Miller
[openbsd-compat/port-tun.c openbsd-compat/port-tun.h] Sprinkle more includes for Linux in
2006-08-05 - (djm) [auth-pam.c auth.c bufaux.h entropy.c openbsd-compat/port-tun.c]Damien Miller
remove last traces of bufaux.h - it was merged into buffer.h in the big includes.h commit
2006-08-05 - (djm) [auth-pam.c defines.h] Move PAM related bits to auth-pam.cDamien Miller
2006-07-24 - (djm) [acss.c auth-krb5.c auth-options.c auth-pam.c auth-shadow.c]Damien Miller
[canohost.c channels.c cipher-acss.c defines.h dns.c gss-genr.c] [gss-serv-krb5.c gss-serv.c log.h loginrec.c logintest.c readconf.c] [servconf.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rand-helper.c] [ssh.c sshconnect.c sshd.c openbsd-compat/bindresvport.c] [openbsd-compat/bsd-arc4random.c openbsd-compat/bsd-misc.c] [openbsd-compat/getrrsetbyname.c openbsd-compat/glob.c] [openbsd-compat/mktemp.c openbsd-compat/port-linux.c] [openbsd-compat/port-tun.c openbsd-compat/readpassphrase.c] [openbsd-compat/setproctitle.c openbsd-compat/xmmap.c] make the portable tree compile again - sprinkle unistd.h and string.h back in. Don't redefine __unused, as it turned out to be used in headers on Linux, and replace its use in auth-pam.c with ARGSUSED
2006-07-13 - (dtucker) [auth-krb5.c auth-pam.c] Still more errno.hDarren Tucker
2006-05-15 - (dtucker) [auth-pam.c] Bug #1188: pass result of do_pam_account back andDarren Tucker
do not allow kbdint again after the PAM account check fails. ok djm@
2006-05-04 - (dtucker) [auth-pam.c groupaccess.c monitor.c monitor_wrap.c scard-opensc.cDarren Tucker
session.c ssh-rand-helper.c sshd.c openbsd-compat/bsd-cygwin_util.c openbsd-compat/setproctitle.c] Convert malloc(foo*bar) -> calloc(foo,bar) in Portable-only code; since calloc zeros, remove now-redundant memsets. Also add a couple of sanity checks. With & ok djm@
2006-03-26 - djm@cvs.openbsd.org 2006/03/25 01:13:23Damien Miller
[buffer.c channels.c deattack.c misc.c scp.c session.c sftp-client.c] [sftp-server.c ssh-agent.c ssh-rsa.c xmalloc.c xmalloc.h auth-pam.c] [uidswap.c] change OpenSSH's xrealloc() function from being xrealloc(p, new_size) to xrealloc(p, new_nmemb, new_itemsize). realloc is particularly prone to integer overflows because it is almost always allocating "n * size" bytes, so this is a far safer API; ok deraadt@
2006-03-26 - deraadt@cvs.openbsd.org 2006/03/19 18:51:18Damien Miller
[atomicio.c auth-bsdauth.c auth-chall.c auth-krb5.c auth-options.c] [auth-pam.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c] [auth-shadow.c auth-skey.c auth.c auth1.c auth2-chall.c] [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c] [auth2-pubkey.c auth2.c authfd.c authfile.c bufaux.c buffer.c] [canohost.c channels.c cipher-3des1.c cipher-acss.c cipher-aes.c] [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c] [compress.c deattack.c dh.c dispatch.c dns.c entropy.c fatal.c] [groupaccess.c hostfile.c includes.h kex.c kexdh.c kexdhc.c] [kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c log.c loginrec.c] [loginrec.h logintest.c mac.c match.c md-sha256.c md5crypt.c misc.c] [monitor.c monitor_fdpass.c monitor_mm.c monitor_wrap.c msg.c] [nchan.c packet.c progressmeter.c readconf.c readpass.c rsa.c] [scard.c scp.c servconf.c serverloop.c session.c sftp-client.c] [sftp-common.c sftp-glob.c sftp-server.c sftp.c ssh-add.c] [ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c] [ssh-rand-helper.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c] [sshconnect2.c sshd.c sshlogin.c sshpty.c sshtty.c ttymodes.c] [uidswap.c uuencode.c xmalloc.c openbsd-compat/bsd-arc4random.c] [openbsd-compat/bsd-closefrom.c openbsd-compat/bsd-cygwin_util.c] [openbsd-compat/bsd-getpeereid.c openbsd-compat/bsd-misc.c] [openbsd-compat/bsd-nextstep.c openbsd-compat/bsd-snprintf.c] [openbsd-compat/bsd-waitpid.c openbsd-compat/fake-rfc2553.c] RCSID() can die
2006-03-18- (djm) [auth-pam.c] Fix memleak in error path, from Coverity viaDamien Miller
elad AT NetBSD.org
2006-03-15 - (djm) [auth-pam.c clientloop.c includes.h monitor.c session.c]Damien Miller
[sftp-client.c ssh-keysign.c ssh.c sshconnect.c sshconnect2.c] [sshd.c openbsd-compat/bsd-misc.c openbsd-compat/bsd-openpty.c] [openbsd-compat/glob.c openbsd-compat/mktemp.c] [openbsd-compat/readpassphrase.c] Lots of include fixes for OpenSolaris
2006-01-29Correct format in debug messageDarren Tucker
2005-09-28 - (dtucker) [auth-pam.c] Bug #1028: send final non-query messages fromDarren Tucker
PAM via keyboard-interactive. Patch tested by the folks at Vintela.
2005-07-17 - (djm) [auth-pam.c sftp.c] spaces vs. tabs at start of lineDamien Miller
2005-07-17 - (djm) [acss.c auth-pam.c auth-shadow.c auth-skey.c auth1.c canohost.c]Damien Miller
[cipher-acss.c loginrec.c ssh-rand-helper.c sshd.c] Fix whitespace at EOL in portable too ("perl -p -i -e 's/\s+$/\n/' *.[ch]")
2005-07-16 - (dtucker) [auth-pam.c] Ensure that only one side of the authenticationDarren Tucker
socketpair stays open on in both the monitor and PAM process. Patch from Joerg Sonnenberger.
2005-05-26 - (dtucker) [auth-pam.c] Bug #1033: Fix warnings building with PAM on Linux:Darren Tucker
warning: dereferencing type-punned pointer will break strict-aliasing rules warning: passing arg 3 of `pam_get_item' from incompatible pointer type The type-punned pointer fix is based on a patch from SuSE's rpm. ok djm@
2005-05-25 - (dtucker) [auth-pam.c] Since people don't seem to be getting the messageDarren Tucker
that USE_POSIX_THREADS is unsupported, not recommended and generally a bad idea, it is now known as UNSUPPORTED_POSIX_THREADS_HACK. Attempting to use USE_POSIX_THREADS will now generate an error so we don't silently change behaviour. ok djm@
2005-01-20Oops, did not intend to commit this yetDarren Tucker
2005-01-20 - djm@cvs.openbsd.org 2004/12/22 02:13:19Darren Tucker
[cipher-ctr.c cipher.c] remove fallback AES support for old OpenSSL, as OpenBSD has had it for many years now; ok deraadt@ (Id sync only: Portable will continue to support older OpenSSLs)
2005-01-20 - (dtucker) [auth-pam.c] Bug #971: Prevent leaking information about userDarren Tucker
existence via keyboard-interactive/pam, in conjunction with previous auth2-chall.c change; with Colin Watson and djm.
2004-10-16 - (djm) [auth-pam.c] snprintf->strl*, fix server message length calculationsDamien Miller
2004-09-11 - (dtucker) [auth-pam.c auth.h auth2-none.c auth2.c monitor.c monitor_wrap.c]Darren Tucker
Bug #892: Send messages from failing PAM account modules to the client via SSH2_MSG_USERAUTH_BANNER messages. Note that this will not happen with SSH2 kbdint authentication, which need to be dealt with separately. ok djm@
2004-09-11 - (dtucker) [auth-pam.c] Relocate sshpam_store_conv(), no code change.Darren Tucker
2004-09-11 - (dtucker) [auth-pam.c auth-pam.h session.c] Bug #890: Send output fromDarren Tucker
failing PAM session modules to user then exit, similar to the way /etc/nologin is handled. ok djm@
2004-08-16 - (dtucker) [acconfig.h auth-pam.c configure.ac] Set real uid to non-rootDarren Tucker
to convince Solaris PAM to honour password complexity rules. ok djm@
2004-07-21 - (djm) [auth-pam.c] Portable parts of bz#899: Don't display invalidDamien Miller
usernames in setproctitle from peak AT argo.troja.mff.cuni.cz;
2004-07-19 - (djm) [auth-pam.c] Avoid use of xstrdup and friends in conversation function,Damien Miller
instead return PAM_CONV_ERR, avoiding another path to fatal(); ok dtucker@
2004-07-11 - (dtucker) [auth-pam.c] Check for zero from waitpid() too, which allowsDarren Tucker
the monitor to properly clean up the PAM thread (Debian bug #252676).
2004-07-01 - (dtucker) [auth-pam.c] Bug #559 (last piece): Pass DISALLOW_NULL_AUTHTOKDarren Tucker
to pam_authenticate for challenge-response auth too. Originally from fcusack at fcusack.com, ok djm@
2004-07-01 - (dtucker) [auth-pam.c] Bug #705: Make arguments match PAM specs, fixesDarren Tucker
warnings on compliant platforms. From paul.a.bolton at bt.com. ok djm@
2004-06-30 - (dtucker) [auth-pam.c] Check for buggy PAM modules that return a NULLDarren Tucker
appdata_ptr to the conversation function. ok djm@ By rights we should free the messages too, but if this happens then one of the modules has already proven itself to be buggy so can we trust the messages?
2004-06-19 - (dtucker) [auth-pam.c] Don't use PAM namespace forDarren Tucker
pam_password_change_required either.
2004-06-03 - (dtucker) [auth-pam.c] Don't use pam_* namespace for sshd's PAM functions.Darren Tucker
ok djm@