From 1f7e40864faa5632696718ea6950ebdb4df41ce5 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 1 Jul 2004 14:00:14 +1000 Subject: [PATCH] - (dtucker) [auth-pam.c] Bug #559 (last piece): Pass DISALLOW_NULL_AUTHTOK to pam_authenticate for challenge-response auth too. Originally from fcusack at fcusack.com, ok djm@ --- ChangeLog | 5 ++++- auth-pam.c | 6 ++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 20c907883..bfd90349e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,9 @@ Ensures messages from PAM modules are displayed when privsep=no. - (dtucker) [auth-pam.c] Bug #705: Make arguments match PAM specs, fixes warnings on compliant platforms. From paul.a.bolton at bt.com. ok djm@ + - (dtucker) [auth-pam.c] Bug #559 (last piece): Pass DISALLOW_NULL_AUTHTOK + to pam_authenticate for challenge-response auth too. Originally from + fcusack at fcusack.com, ok djm@ 20040630 - (dtucker) [auth-pam.c] Check for buggy PAM modules that return a NULL @@ -1471,4 +1474,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3465 2004/07/01 02:38:14 dtucker Exp $ +$Id: ChangeLog,v 1.3466 2004/07/01 04:00:14 dtucker Exp $ diff --git a/auth-pam.c b/auth-pam.c index 67f6ac0d8..36a719fbb 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -47,7 +47,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.109 2004/07/01 02:38:15 dtucker Exp $"); +RCSID("$Id: auth-pam.c,v 1.110 2004/07/01 04:00:15 dtucker Exp $"); #ifdef USE_PAM #if defined(HAVE_SECURITY_PAM_APPL_H) @@ -356,6 +356,8 @@ sshpam_thread(void *ctxtp) struct pam_ctxt *ctxt = ctxtp; Buffer buffer; struct pam_conv sshpam_conv; + int flags = (options.permit_empty_passwd == 0 ? + PAM_DISALLOW_NULL_AUTHTOK : 0); #ifndef USE_POSIX_THREADS extern char **environ; char **env_from_pam; @@ -378,7 +380,7 @@ sshpam_thread(void *ctxtp) (const void *)&sshpam_conv); if (sshpam_err != PAM_SUCCESS) goto auth_fail; - sshpam_err = pam_authenticate(sshpam_handle, 0); + sshpam_err = pam_authenticate(sshpam_handle, flags); if (sshpam_err != PAM_SUCCESS) goto auth_fail;