From 39d9195514df907a6f1eb6fc10688860af83f43b Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Wed, 3 Sep 2003 00:30:53 +0000 Subject: Fix login delay, spurious auth.log entry, and PermitRootLogin information leakage due to PAM issues with upstream's recent security update (thanks, Darren Tucker; closes: #99168, #192207, #193546). --- auth-passwd.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'auth-passwd.c') diff --git a/auth-passwd.c b/auth-passwd.c index 62ea3a52d..2307c1e5e 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -125,6 +125,14 @@ auth_password(Authctxt *authctxt, const char *password) ok = 0; #if defined(USE_PAM) + /* + * If the user logging in is root and RootLogin=no, always attempt + * an invalid root login to prevent leaking timing information + */ + if (pw && pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) { + auth_pam_password(authctxt, "\b\n\r\177INCORRECT"); + return 0; + } return auth_pam_password(authctxt, password) && ok; #elif defined(HAVE_OSF_SIA) if (!ok) -- cgit v1.2.3