From 1f7e40864faa5632696718ea6950ebdb4df41ce5 Mon Sep 17 00:00:00 2001
From: Darren Tucker <dtucker@zip.com.au>
Date: Thu, 1 Jul 2004 14:00:14 +1000
Subject:  - (dtucker) [auth-pam.c] Bug #559 (last piece): Pass
 DISALLOW_NULL_AUTHTOK    to pam_authenticate for challenge-response auth too.
  Originally from    fcusack at fcusack.com, ok djm@

---
 ChangeLog  | 5 ++++-
 auth-pam.c | 6 ++++--
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 20c907883..bfd90349e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,9 @@
    Ensures messages from PAM modules are displayed when privsep=no.
  - (dtucker) [auth-pam.c] Bug #705: Make arguments match PAM specs, fixes
    warnings on compliant platforms.  From paul.a.bolton at bt.com.  ok djm@
+ - (dtucker) [auth-pam.c] Bug #559 (last piece): Pass DISALLOW_NULL_AUTHTOK
+   to pam_authenticate for challenge-response auth too.  Originally from
+   fcusack at fcusack.com, ok djm@
 
 20040630
  - (dtucker) [auth-pam.c] Check for buggy PAM modules that return a NULL
@@ -1471,4 +1474,4 @@
    - (djm) Trim deprecated options from INSTALL. Mention UsePAM
    - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
 
-$Id: ChangeLog,v 1.3465 2004/07/01 02:38:14 dtucker Exp $
+$Id: ChangeLog,v 1.3466 2004/07/01 04:00:14 dtucker Exp $
diff --git a/auth-pam.c b/auth-pam.c
index 67f6ac0d8..36a719fbb 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -47,7 +47,7 @@
 
 /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
 #include "includes.h"
-RCSID("$Id: auth-pam.c,v 1.109 2004/07/01 02:38:15 dtucker Exp $");
+RCSID("$Id: auth-pam.c,v 1.110 2004/07/01 04:00:15 dtucker Exp $");
 
 #ifdef USE_PAM
 #if defined(HAVE_SECURITY_PAM_APPL_H)
@@ -356,6 +356,8 @@ sshpam_thread(void *ctxtp)
 	struct pam_ctxt *ctxt = ctxtp;
 	Buffer buffer;
 	struct pam_conv sshpam_conv;
+	int flags = (options.permit_empty_passwd == 0 ?
+	    PAM_DISALLOW_NULL_AUTHTOK : 0);
 #ifndef USE_POSIX_THREADS
 	extern char **environ;
 	char **env_from_pam;
@@ -378,7 +380,7 @@ sshpam_thread(void *ctxtp)
 	    (const void *)&sshpam_conv);
 	if (sshpam_err != PAM_SUCCESS)
 		goto auth_fail;
-	sshpam_err = pam_authenticate(sshpam_handle, 0);
+	sshpam_err = pam_authenticate(sshpam_handle, flags);
 	if (sshpam_err != PAM_SUCCESS)
 		goto auth_fail;
 
-- 
cgit v1.2.3