Attachment 2621 Details for Bug 2399 – bug fix to correctly handle pam_setcred and pam_open_session failure

[patch] bug fix to correctly handle pam_setcred and pam_open_session failure

pam_setcred_fix.patch (text/plain), 1.22 KB, created by huieying.lee on 2015-05-15 08:47:19 AEST

(hide)

Description:

Filename:

MIME Type:

Creator: huieying.lee

Created: 2015-05-15 08:47:19 AEST

Size: 1.22 KB

patch

obsolete

># 
># This patch contains bug fixes to the PAM credential and session operations.
># In the original OpenSSH, the server only gives warnings and still allows 
># users to log in when pam_setcred() or pam_open_session() fail, if user auth
># method is not keyboard-interactive or password.  This is not a correct
># behavior. The server should just fatal out, when these functions fail.
>#
>--- orig/auth-pam.c	Tue May 12 12:57:25 2015
>+++ new4upstream/auth-pam.c	Thu May 14 15:36:07 2015
>@@ -950,12 +950,10 @@
> 		sshpam_cred_established = 1;
> 		return;
> 	}
>-	if (sshpam_authenticated)
>-		fatal("PAM: pam_setcred(): %s",
>-		    pam_strerror(sshpam_handle, sshpam_err));
>-	else
>-		debug("PAM: pam_setcred(): %s",
>-		    pam_strerror(sshpam_handle, sshpam_err));
>+
>+	/* Server will fatal out when pam_setcred() failed. */
>+	fatal("PAM: pam_setcred(): %s", pam_strerror(sshpam_handle,
>+	    sshpam_err));
> }
> 
> static int
>@@ -1048,9 +1046,8 @@
> 	if (sshpam_err == PAM_SUCCESS)
> 		sshpam_session_open = 1;
> 	else {
>-		sshpam_session_open = 0;
>-		disable_forwarding();
>-		error("PAM: pam_open_session(): %s",
>+		/* Server will fatal out when pam_open_session() failed */
>+		fatal("PAM: pam_open_session(): %s",
> 		    pam_strerror(sshpam_handle, sshpam_err));
> 	}
>

Actions: View | Diff

Attachments on bug 2399: 2621