From 8095a8026b060fdfb9a0c268ff61752bdf688a10 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 28 Nov 2004 12:38:37 +0000 Subject: Make sure that there's a delay in PAM keyboard-interactive authentication when PermitRootLogin is not set to yes and the correct root password is entered (closes: #248747). --- auth-pam.c | 4 +++- debian/changelog | 3 +++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/auth-pam.c b/auth-pam.c index ec3b74951..9be57dacd 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -645,7 +645,9 @@ sshpam_respond(void *ctx, u_int num, char **resp) return (-1); } buffer_init(&buffer); - if (sshpam_authctxt->valid) + if (sshpam_authctxt->valid && + (sshpam_authctxt->pw->pw_uid != 0 || + options.permit_root_login == PERMIT_YES)) buffer_put_cstring(&buffer, *resp); else buffer_put_cstring(&buffer, badpw); diff --git a/debian/changelog b/debian/changelog index 8693c48ef..ba873c472 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,6 +3,9 @@ openssh (1:3.8.1p1-8.sarge.4) UNRELEASED; urgency=high * Fix timing information leak allowing discovery of invalid usernames in PAM keyboard-interactive authentication (backported from a patch by Darren Tucker; closes: #281595). + * Make sure that there's a delay in PAM keyboard-interactive + authentication when PermitRootLogin is not set to yes and the correct + root password is entered (closes: #248747). -- Colin Watson Sun, 28 Nov 2004 12:12:55 +0000 -- cgit v1.2.3