- (dtucker) [auth-pam.c] Bug #971: Prevent leaking information about user
existence via keyboard-interactive/pam, in conjunction with previous auth2-chall.c change; with Colin Watson and djm.
This commit is contained in:
parent
611649ebf0
commit
36a3d60347
|
@ -30,6 +30,9 @@
|
||||||
behaviour for bsdauth is maintained by checking authctxt->valid in the
|
behaviour for bsdauth is maintained by checking authctxt->valid in the
|
||||||
bsdauth driver. Note that any third-party kbdint drivers will now need
|
bsdauth driver. Note that any third-party kbdint drivers will now need
|
||||||
to be able to handle responses for invalid logins. ok markus@
|
to be able to handle responses for invalid logins. ok markus@
|
||||||
|
- (dtucker) [auth-pam.c] Bug #971: Prevent leaking information about user
|
||||||
|
existence via keyboard-interactive/pam, in conjunction with previous
|
||||||
|
auth2-chall.c change; with Colin Watson and djm.
|
||||||
|
|
||||||
20050118
|
20050118
|
||||||
- (dtucker) [INSTALL Makefile.in configure.ac survey.sh.in] Implement
|
- (dtucker) [INSTALL Makefile.in configure.ac survey.sh.in] Implement
|
||||||
|
@ -2002,4 +2005,4 @@
|
||||||
- (djm) Trim deprecated options from INSTALL. Mention UsePAM
|
- (djm) Trim deprecated options from INSTALL. Mention UsePAM
|
||||||
- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
|
- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
|
||||||
|
|
||||||
$Id: ChangeLog,v 1.3616 2005/01/20 00:05:34 dtucker Exp $
|
$Id: ChangeLog,v 1.3617 2005/01/20 01:43:38 dtucker Exp $
|
||||||
|
|
15
auth-pam.c
15
auth-pam.c
|
@ -47,7 +47,7 @@
|
||||||
|
|
||||||
/* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
|
/* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
|
||||||
#include "includes.h"
|
#include "includes.h"
|
||||||
RCSID("$Id: auth-pam.c,v 1.118 2004/10/16 08:52:44 djm Exp $");
|
RCSID("$Id: auth-pam.c,v 1.119 2005/01/20 01:43:39 dtucker Exp $");
|
||||||
|
|
||||||
#ifdef USE_PAM
|
#ifdef USE_PAM
|
||||||
#if defined(HAVE_SECURITY_PAM_APPL_H)
|
#if defined(HAVE_SECURITY_PAM_APPL_H)
|
||||||
|
@ -186,6 +186,7 @@ static int sshpam_account_status = -1;
|
||||||
static char **sshpam_env = NULL;
|
static char **sshpam_env = NULL;
|
||||||
static Authctxt *sshpam_authctxt = NULL;
|
static Authctxt *sshpam_authctxt = NULL;
|
||||||
static const char *sshpam_password = NULL;
|
static const char *sshpam_password = NULL;
|
||||||
|
static char badpw[] = "\b\n\r\177INCORRECT";
|
||||||
|
|
||||||
/* Some PAM implementations don't implement this */
|
/* Some PAM implementations don't implement this */
|
||||||
#ifndef HAVE_PAM_GETENVLIST
|
#ifndef HAVE_PAM_GETENVLIST
|
||||||
|
@ -701,6 +702,12 @@ sshpam_query(void *ctx, char **name, char **info,
|
||||||
**prompts = NULL;
|
**prompts = NULL;
|
||||||
}
|
}
|
||||||
if (type == PAM_SUCCESS) {
|
if (type == PAM_SUCCESS) {
|
||||||
|
if (!sshpam_authctxt->valid ||
|
||||||
|
(sshpam_authctxt->pw->pw_uid == 0 &&
|
||||||
|
options.permit_root_login != PERMIT_YES))
|
||||||
|
fatal("Internal error: PAM auth "
|
||||||
|
"succeeded when it should have "
|
||||||
|
"failed");
|
||||||
import_environments(&buffer);
|
import_environments(&buffer);
|
||||||
*num = 0;
|
*num = 0;
|
||||||
**echo_on = 0;
|
**echo_on = 0;
|
||||||
|
@ -746,7 +753,12 @@ sshpam_respond(void *ctx, u_int num, char **resp)
|
||||||
return (-1);
|
return (-1);
|
||||||
}
|
}
|
||||||
buffer_init(&buffer);
|
buffer_init(&buffer);
|
||||||
|
if (sshpam_authctxt->valid &&
|
||||||
|
(sshpam_authctxt->pw->pw_uid != 0 ||
|
||||||
|
options.permit_root_login == PERMIT_YES))
|
||||||
buffer_put_cstring(&buffer, *resp);
|
buffer_put_cstring(&buffer, *resp);
|
||||||
|
else
|
||||||
|
buffer_put_cstring(&buffer, badpw);
|
||||||
if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) {
|
if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) {
|
||||||
buffer_free(&buffer);
|
buffer_free(&buffer);
|
||||||
return (-1);
|
return (-1);
|
||||||
|
@ -1093,7 +1105,6 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
|
||||||
{
|
{
|
||||||
int flags = (options.permit_empty_passwd == 0 ?
|
int flags = (options.permit_empty_passwd == 0 ?
|
||||||
PAM_DISALLOW_NULL_AUTHTOK : 0);
|
PAM_DISALLOW_NULL_AUTHTOK : 0);
|
||||||
static char badpw[] = "\b\n\r\177INCORRECT";
|
|
||||||
|
|
||||||
if (!options.use_pam || sshpam_handle == NULL)
|
if (!options.use_pam || sshpam_handle == NULL)
|
||||||
fatal("PAM: %s called when PAM disabled or failed to "
|
fatal("PAM: %s called when PAM disabled or failed to "
|
||||||
|
|
Loading…
Reference in New Issue