Attachment 292 Details for Bug 559 – revised PAM patch

[patch] revised PAM patch

pam.patch2 (text/plain), 4.13 KB, created by Frank Cusack on 2003-05-13 13:27:50 AEST

(hide)

Description:

Filename:

MIME Type:

Creator: Frank Cusack

Created: 2003-05-13 13:27:50 AEST

Size: 4.13 KB

patch

obsolete

>--- openssh.orig/auth1.c	Sun Feb 23 16:59:27 2003
>+++ openssh/auth1.c	Mon May 12 20:16:44 2003
>@@ -81,6 +81,9 @@ do_authloop(Authctxt *authctxt)
> 
> 	/* If the user has no password, accept authentication immediately. */
> 	if (options.password_authentication &&
>+#ifdef USE_PAM
>+	    options.permit_empty_passwd &&
>+#endif
> #if defined(KRB4) || defined(KRB5)
> 	    (!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
> #endif
>@@ -404,7 +418,7 @@ do_authentication(void)
> 	    use_privsep ? " [net]" : "");
> 
> #ifdef USE_PAM
>-	PRIVSEP(start_pam(authctxt->pw == NULL ? "NOUSER" : user));
>+	PRIVSEP(start_pam(user));
> #endif
> 
> 	/*
>--- openssh.orig/auth-pam.c	Tue Apr 29 02:12:08 2003
>+++ openssh/auth-pam.c	Sun May 11 20:04:36 2003
>@@ -213,15 +213,15 @@ int auth_pam_password(Authctxt *authctxt
> 	__pampasswd = password;
> 
> 	pamstate = INITIAL_LOGIN;
> 	pam_retval = do_pam_authenticate(
> 	    options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0);
>-	if (pam_retval == PAM_SUCCESS && pw) {
>+	if (pam_retval == PAM_SUCCESS) {
> 		debug("PAM password authentication accepted for "
>-		    "%.100s", pw->pw_name);
>+		    "%.100s", authctxt->user);
> 		return 1;
> 	} else {
> 		debug("PAM password authentication failed for "
>-		    "%.100s: %s", pw ? pw->pw_name : "an illegal user",
>+		    "%s%.100s: %s", pw ? "" : "illegal user ", authctxt->user,
> 		    PAM_STRERROR(__pamh, pam_retval));
> 		return 0;
> 	}
>--- openssh.orig/auth2.c	Sun Feb 23 16:59:27 2003
>+++ openssh/auth2.c	Mon May 12 20:23:10 2003
>@@ -162,7 +162,7 @@ input_userauth_request(int type, u_int32
> 		} else {
> 			log("input_userauth_request: illegal user %s", user);
> #ifdef USE_PAM
>-			PRIVSEP(start_pam("NOUSER"));
>+			PRIVSEP(start_pam(user));
> #endif
> 		}
> 		setproctitle("%s%s", authctxt->pw ? user : "unknown",
>@@ -186,8 +186,8 @@ input_userauth_request(int type, u_int32
> 	m = authmethod_lookup(method);
> 	if (m != NULL) {
> 		debug2("input_userauth_request: try method %s", method);
>-		authenticated =	m->userauth(authctxt);
>+		authenticated = m->userauth(authctxt) && authctxt->valid;
> 	}
> 	userauth_finish(authctxt, authenticated, method);
> 
> 	xfree(service);
>@@ -223,7 +223,15 @@ userauth_finish(Authctxt *authctxt, int 
> #endif /* _UNICOS */
> 
> 	/* Log before sending the reply */
>-	auth_log(authctxt, authenticated, method, " ssh2");
>+	/*
>+	 * With an exception: don't log 'none' failures if empty passwords
>+	 * are not allowed; the openssh client ALWAYS requests none just
>+	 * to get the list of auth methods, so this is too noisy.
>+	 */
>+	if (!(!strcmp(method, "none") &&		/* method 'none' */
>+	      !options.permit_empty_passwd &&		/* none !allowed */
>+	      !authenticated))				/* failed auth   */
>+		auth_log(authctxt, authenticated, method, " ssh2");
> 
> 	if (authctxt->postponed)
> 		return;
>--- openssh.orig/auth2-none.c	Tue Apr 29 02:12:08 2003
>+++ openssh/auth2-none.c	Sun May 11 00:10:49 2003
>@@ -100,6 +100,27 @@ userauth_none(Authctxt *authctxt)
> 	if (check_nt_auth(1, authctxt->pw) == 0)
> 		return(0);
> #endif
>+
>+#ifdef USE_PAM
>+	/*
>+	 * REDACTED
>+	 * REDACTED
>+	 * REDACTED
>+	 * REDACTED
>+	 * REDACTED
>+	 * REDACTED
>+	 * REDACTED
>+	 * REDACTED
>+	 * REDACTED
>+	 * REDACTED
>+	 * REDACTED
>+	 * REDACTED
>+	 * REDACTED
>+	 */
>+	if (!options.password_authentication || !options.permit_empty_passwd)
>+		return(0);
>+#endif
>+
> 	return PRIVSEP(auth_password(authctxt, "")) && authctxt->valid;
> }
> 
>--- openssh.orig/auth2-pam.c	Tue Jan  7 17:37:03 2003
>+++ openssh/auth2-pam.c	Mon May 12 20:16:44 2003
>@@ -12,6 +12,10 @@ RCSID("$Id: auth2-pam.c,v 1.15 2003/01/0
> #include "xmalloc.h"
> #include "dispatch.h"
> #include "log.h"
>+#include "servconf.h"
>+
>+/* import */
>+extern ServerOptions options;
> 
> static int do_pam_conversation_kbd_int(int num_msg, 
>     const struct pam_message **msg, struct pam_response **resp, 
>@@ -42,7 +46,9 @@ auth2_pam(Authctxt *authctxt)
> 
> 	dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE,
> 	    &input_userauth_info_response_pam);
>-	retval = (do_pam_authenticate(0) == PAM_SUCCESS);
>+	retval = (do_pam_authenticate(options.permit_empty_passwd == 0
>+				      ? PAM_DISALLOW_NULL_AUTHTOK
>+				      : 0) == PAM_SUCCESS);
> 	dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
> 
> 	return retval;

Actions: View | Diff

Attachments on bug 559: 289 | 292 | 675