diff --git a/ChangeLog b/ChangeLog index 19101efd6..9eab2b462 100644 --- a/ChangeLog +++ b/ChangeLog @@ -30,6 +30,11 @@ behaviour for bsdauth is maintained by checking authctxt->valid in the bsdauth driver. Note that any third-party kbdint drivers will now need to be able to handle responses for invalid logins. ok markus@ + - djm@cvs.openbsd.org 2004/12/22 02:13:19 + [cipher-ctr.c cipher.c] + remove fallback AES support for old OpenSSL, as OpenBSD has had it for + many years now; ok deraadt@ + (Id sync only: Portable will continue to support older OpenSSLs) - (dtucker) [auth-pam.c] Bug #971: Prevent leaking information about user existence via keyboard-interactive/pam, in conjunction with previous auth2-chall.c change; with Colin Watson and djm. @@ -2005,4 +2010,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3617 2005/01/20 01:43:38 dtucker Exp $ +$Id: ChangeLog,v 1.3618 2005/01/20 02:27:56 dtucker Exp $ diff --git a/auth-pam.c b/auth-pam.c index 996964fcd..5bffe338f 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -47,7 +47,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.119 2005/01/20 01:43:39 dtucker Exp $"); +RCSID("$Id: auth-pam.c,v 1.120 2005/01/20 02:27:56 dtucker Exp $"); #ifdef USE_PAM #if defined(HAVE_SECURITY_PAM_APPL_H) @@ -245,6 +245,17 @@ sshpam_password_change_required(int reqd) } } +/* Check ssh internal flags in addition to PAM */ + +static int +sshpam_login_allowed(Authctxt *ctxt) +{ + if (ctxt->valid && (ctxt->pw->pw_uid != 0 || + options.permit_root_login == PERMIT_YES)) + return 1; + return 0; +} + /* Import regular and PAM environment from subprocess */ static void import_environments(Buffer *b) @@ -702,9 +713,7 @@ sshpam_query(void *ctx, char **name, char **info, **prompts = NULL; } if (type == PAM_SUCCESS) { - if (!sshpam_authctxt->valid || - (sshpam_authctxt->pw->pw_uid == 0 && - options.permit_root_login != PERMIT_YES)) + if (!sshpam_login_allowed(sshpam_authctxt)) fatal("Internal error: PAM auth " "succeeded when it should have " "failed"); @@ -753,9 +762,7 @@ sshpam_respond(void *ctx, u_int num, char **resp) return (-1); } buffer_init(&buffer); - if (sshpam_authctxt->valid && - (sshpam_authctxt->pw->pw_uid != 0 || - options.permit_root_login == PERMIT_YES)) + if (sshpam_login_allowed(sshpam_authctxt)) buffer_put_cstring(&buffer, *resp); else buffer_put_cstring(&buffer, badpw); @@ -1118,8 +1125,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password) * by PermitRootLogin, use an invalid password to prevent leaking * information via timing (eg if the PAM config has a delay on fail). */ - if (!authctxt->valid || (authctxt->pw->pw_uid == 0 && - options.permit_root_login != PERMIT_YES)) + if (!sshpam_login_allowed(authctxt)) sshpam_password = badpw; sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, @@ -1130,7 +1136,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password) sshpam_err = pam_authenticate(sshpam_handle, flags); sshpam_password = NULL; - if (sshpam_err == PAM_SUCCESS && authctxt->valid) { + if (sshpam_err == PAM_SUCCESS && sshpam_login_allowed(authctxt)) { debug("PAM: password authentication accepted for %.100s", authctxt->user); return 1; diff --git a/cipher-ctr.c b/cipher-ctr.c index 395dabedd..43f1ede57 100644 --- a/cipher-ctr.c +++ b/cipher-ctr.c @@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #include "includes.h" -RCSID("$OpenBSD: cipher-ctr.c,v 1.4 2004/02/06 23:41:13 dtucker Exp $"); +RCSID("$OpenBSD: cipher-ctr.c,v 1.5 2004/12/22 02:13:19 djm Exp $"); #include diff --git a/cipher.c b/cipher.c index 075a4c5fc..64be0571f 100644 --- a/cipher.c +++ b/cipher.c @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: cipher.c,v 1.71 2004/07/28 09:40:29 markus Exp $"); +RCSID("$OpenBSD: cipher.c,v 1.72 2004/12/22 02:13:19 djm Exp $"); #include "xmalloc.h" #include "log.h"