- djm@cvs.openbsd.org 2004/12/22 02:13:19
[cipher-ctr.c cipher.c] remove fallback AES support for old OpenSSL, as OpenBSD has had it for many years now; ok deraadt@ (Id sync only: Portable will continue to support older OpenSSLs)
This commit is contained in:
parent
36a3d60347
commit
d231186fd0
|
@ -30,6 +30,11 @@
|
||||||
behaviour for bsdauth is maintained by checking authctxt->valid in the
|
behaviour for bsdauth is maintained by checking authctxt->valid in the
|
||||||
bsdauth driver. Note that any third-party kbdint drivers will now need
|
bsdauth driver. Note that any third-party kbdint drivers will now need
|
||||||
to be able to handle responses for invalid logins. ok markus@
|
to be able to handle responses for invalid logins. ok markus@
|
||||||
|
- djm@cvs.openbsd.org 2004/12/22 02:13:19
|
||||||
|
[cipher-ctr.c cipher.c]
|
||||||
|
remove fallback AES support for old OpenSSL, as OpenBSD has had it for
|
||||||
|
many years now; ok deraadt@
|
||||||
|
(Id sync only: Portable will continue to support older OpenSSLs)
|
||||||
- (dtucker) [auth-pam.c] Bug #971: Prevent leaking information about user
|
- (dtucker) [auth-pam.c] Bug #971: Prevent leaking information about user
|
||||||
existence via keyboard-interactive/pam, in conjunction with previous
|
existence via keyboard-interactive/pam, in conjunction with previous
|
||||||
auth2-chall.c change; with Colin Watson and djm.
|
auth2-chall.c change; with Colin Watson and djm.
|
||||||
|
@ -2005,4 +2010,4 @@
|
||||||
- (djm) Trim deprecated options from INSTALL. Mention UsePAM
|
- (djm) Trim deprecated options from INSTALL. Mention UsePAM
|
||||||
- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
|
- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
|
||||||
|
|
||||||
$Id: ChangeLog,v 1.3617 2005/01/20 01:43:38 dtucker Exp $
|
$Id: ChangeLog,v 1.3618 2005/01/20 02:27:56 dtucker Exp $
|
||||||
|
|
26
auth-pam.c
26
auth-pam.c
|
@ -47,7 +47,7 @@
|
||||||
|
|
||||||
/* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
|
/* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
|
||||||
#include "includes.h"
|
#include "includes.h"
|
||||||
RCSID("$Id: auth-pam.c,v 1.119 2005/01/20 01:43:39 dtucker Exp $");
|
RCSID("$Id: auth-pam.c,v 1.120 2005/01/20 02:27:56 dtucker Exp $");
|
||||||
|
|
||||||
#ifdef USE_PAM
|
#ifdef USE_PAM
|
||||||
#if defined(HAVE_SECURITY_PAM_APPL_H)
|
#if defined(HAVE_SECURITY_PAM_APPL_H)
|
||||||
|
@ -245,6 +245,17 @@ sshpam_password_change_required(int reqd)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Check ssh internal flags in addition to PAM */
|
||||||
|
|
||||||
|
static int
|
||||||
|
sshpam_login_allowed(Authctxt *ctxt)
|
||||||
|
{
|
||||||
|
if (ctxt->valid && (ctxt->pw->pw_uid != 0 ||
|
||||||
|
options.permit_root_login == PERMIT_YES))
|
||||||
|
return 1;
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
/* Import regular and PAM environment from subprocess */
|
/* Import regular and PAM environment from subprocess */
|
||||||
static void
|
static void
|
||||||
import_environments(Buffer *b)
|
import_environments(Buffer *b)
|
||||||
|
@ -702,9 +713,7 @@ sshpam_query(void *ctx, char **name, char **info,
|
||||||
**prompts = NULL;
|
**prompts = NULL;
|
||||||
}
|
}
|
||||||
if (type == PAM_SUCCESS) {
|
if (type == PAM_SUCCESS) {
|
||||||
if (!sshpam_authctxt->valid ||
|
if (!sshpam_login_allowed(sshpam_authctxt))
|
||||||
(sshpam_authctxt->pw->pw_uid == 0 &&
|
|
||||||
options.permit_root_login != PERMIT_YES))
|
|
||||||
fatal("Internal error: PAM auth "
|
fatal("Internal error: PAM auth "
|
||||||
"succeeded when it should have "
|
"succeeded when it should have "
|
||||||
"failed");
|
"failed");
|
||||||
|
@ -753,9 +762,7 @@ sshpam_respond(void *ctx, u_int num, char **resp)
|
||||||
return (-1);
|
return (-1);
|
||||||
}
|
}
|
||||||
buffer_init(&buffer);
|
buffer_init(&buffer);
|
||||||
if (sshpam_authctxt->valid &&
|
if (sshpam_login_allowed(sshpam_authctxt))
|
||||||
(sshpam_authctxt->pw->pw_uid != 0 ||
|
|
||||||
options.permit_root_login == PERMIT_YES))
|
|
||||||
buffer_put_cstring(&buffer, *resp);
|
buffer_put_cstring(&buffer, *resp);
|
||||||
else
|
else
|
||||||
buffer_put_cstring(&buffer, badpw);
|
buffer_put_cstring(&buffer, badpw);
|
||||||
|
@ -1118,8 +1125,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
|
||||||
* by PermitRootLogin, use an invalid password to prevent leaking
|
* by PermitRootLogin, use an invalid password to prevent leaking
|
||||||
* information via timing (eg if the PAM config has a delay on fail).
|
* information via timing (eg if the PAM config has a delay on fail).
|
||||||
*/
|
*/
|
||||||
if (!authctxt->valid || (authctxt->pw->pw_uid == 0 &&
|
if (!sshpam_login_allowed(authctxt))
|
||||||
options.permit_root_login != PERMIT_YES))
|
|
||||||
sshpam_password = badpw;
|
sshpam_password = badpw;
|
||||||
|
|
||||||
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
|
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
|
||||||
|
@ -1130,7 +1136,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
|
||||||
|
|
||||||
sshpam_err = pam_authenticate(sshpam_handle, flags);
|
sshpam_err = pam_authenticate(sshpam_handle, flags);
|
||||||
sshpam_password = NULL;
|
sshpam_password = NULL;
|
||||||
if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
|
if (sshpam_err == PAM_SUCCESS && sshpam_login_allowed(authctxt)) {
|
||||||
debug("PAM: password authentication accepted for %.100s",
|
debug("PAM: password authentication accepted for %.100s",
|
||||||
authctxt->user);
|
authctxt->user);
|
||||||
return 1;
|
return 1;
|
||||||
|
|
|
@ -14,7 +14,7 @@
|
||||||
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||||
*/
|
*/
|
||||||
#include "includes.h"
|
#include "includes.h"
|
||||||
RCSID("$OpenBSD: cipher-ctr.c,v 1.4 2004/02/06 23:41:13 dtucker Exp $");
|
RCSID("$OpenBSD: cipher-ctr.c,v 1.5 2004/12/22 02:13:19 djm Exp $");
|
||||||
|
|
||||||
#include <openssl/evp.h>
|
#include <openssl/evp.h>
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue