Attachment #289 for bug #559

Lines 81-86 Link Here

(-)openssh.orig/auth1.c (-2 / +5 lines)
81		81
82	/* If the user has no password, accept authentication immediately. */	82	/* If the user has no password, accept authentication immediately. */
83	if (options.password_authentication &&	83	if (options.password_authentication &&
		84	#ifdef USE_PAM
		85	options.permit_empty_passwd &&
		86	#endif
84	#if defined(KRB4) \|\| defined(KRB5)	87	#if defined(KRB4) \|\| defined(KRB5)
85	(!options.kerberos_authentication \|\| options.kerberos_or_local_passwd) &&	88	(!options.kerberos_authentication \|\| options.kerberos_or_local_passwd) &&
86	#endif	89	#endif
Lines 400-410 Link Here
400	else	414	else
401	debug("do_authentication: illegal user %s", user);	415	debug("do_authentication: illegal user %s", user);
402		416
403	setproctitle("%s%s", authctxt->pw ? user : "unknown",	417	setproctitle("%s%s", user,
404	use_privsep ? " [net]" : "");	418	use_privsep ? " [net]" : "");
405		419
406	#ifdef USE_PAM	420	#ifdef USE_PAM
407	PRIVSEP(start_pam(authctxt->pw == NULL ? "NOUSER" : user));	421	PRIVSEP(start_pam(user));
408	#endif	422	#endif
409		423
410	/*	424	/*




	__pampasswd = password;

	pamstate = INITIAL_LOGIN;
	pam_retval = do_pam_authenticate(
	    options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0);
	if (pam_retval == PAM_SUCCESS) {
		debug("PAM password authentication accepted for "
		    "%.100s", authctxt->user);
		return 1;
	} else {
		debug("PAM password authentication failed for "
		    "%s%.100s: %s", pw ? "" : "illegal user ", authctxt->user,
		    PAM_STRERROR(__pamh, pam_retval));
		return 0;
	}

Lines 162-168 Link Here

(-)openssh.orig/auth2.c (-4 / +18 lines)
162	} else {	162	} else {
163	log("input_userauth_request: illegal user %s", user);	163	log("input_userauth_request: illegal user %s", user);
164	#ifdef USE_PAM	164	#ifdef USE_PAM
165	PRIVSEP(start_pam("NOUSER"));	165	PRIVSEP(start_pam(user));
		166	authenticated = -1; /* signal illegal user */
166	#endif	167	#endif
167	}	168	}
168	setproctitle("%s%s", authctxt->pw ? user : "unknown",	169	setproctitle("%s%s", authctxt->pw ? user : "unknown",
Lines 185-193 Link Here
185	/* try to authenticate user */	186	/* try to authenticate user */
186	m = authmethod_lookup(method);	187	m = authmethod_lookup(method);
187	if (m != NULL) {	188	if (m != NULL) {
		189	int r;
		190
188	debug2("input_userauth_request: try method %s", method);	191	debug2("input_userauth_request: try method %s", method);
189	authenticated = m->userauth(authctxt);	192	r = m->userauth(authctxt);
190	}	193	authenticated = authenticated != -1 ? r : 0;
		194	} else
		195	authenticated = 0;
		196
191	userauth_finish(authctxt, authenticated, method);	197	userauth_finish(authctxt, authenticated, method);
192		198
193	xfree(service);	199	xfree(service);
Lines 223-229 Link Here
223	#endif /* _UNICOS */	229	#endif /* _UNICOS */
224		230
225	/* Log before sending the reply */	231	/* Log before sending the reply */
226	auth_log(authctxt, authenticated, method, " ssh2");	232	/*
		233	* With an exception: don't log 'none' failures if empty passwords
		234	* are not allowed; the openssh client ALWAYS requests none just
		235	* to get the list of auth methods, so this is too noisy.
		236	*/
		237	if (!(!strcmp(method, "none") && /* method 'none' */
		238	!options.permit_empty_passwd && /* none !allowed */
		239	!authenticated)) /* failed auth */
		240	auth_log(authctxt, authenticated, method, " ssh2");
227		241
228	if (authctxt->postponed)	242	if (authctxt->postponed)
229	return;	243	return;




	if (check_nt_auth(1, authctxt->pw) == 0)
		return(0);
#endif

#ifdef USE_PAM
	/*
	 * REDACTED
	 * REDACTED
	 * REDACTED
	 * REDACTED
	 * REDACTED
	 * REDACTED
	 * REDACTED
	 * REDACTED
	 * REDACTED
	 * REDACTED
	 * REDACTED
	 * REDACTED
	 * REDACTED
	 */
	if (!options.password_authentication || !options.permit_empty_passwd)
		return(0);
#endif

	return PRIVSEP(auth_password(authctxt, "")) && authctxt->valid;
}


Lines 42-48 Link Here

(-)openssh.orig/auth2-pam.c (-1 / +3 lines)
42		42
43	dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE,	43	dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE,
44	&input_userauth_info_response_pam);	44	&input_userauth_info_response_pam);
45	retval = (do_pam_authenticate(0) == PAM_SUCCESS);	45	retval = (do_pam_authenticate(options.permit_empty_passwd == 0
		46	? PAM_DISALLOW_NULL_AUTHTOK
		47	: 0) == PAM_SUCCESS);
46	dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);	48	dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
47		49
48	return retval;	50	return retval;

Return to bug 559

Lines 100-105 Link Here

(-)openssh.orig/auth2-none.c (+21 lines)
100	if (check_nt_auth(1, authctxt->pw) == 0)	100	if (check_nt_auth(1, authctxt->pw) == 0)
101	return(0);	101	return(0);
102	#endif	102	#endif
		103
		104	#ifdef USE_PAM
		105	/*
		106	* REDACTED
		107	* REDACTED
		108	* REDACTED
		109	* REDACTED
		110	* REDACTED
		111	* REDACTED
		112	* REDACTED
		113	* REDACTED
		114	* REDACTED
		115	* REDACTED
		116	* REDACTED
		117	* REDACTED
		118	* REDACTED
		119	*/
		120	if (!options.password_authentication \|\| !options.permit_empty_passwd)
		121	return(0);
		122	#endif
		123
103	return PRIVSEP(auth_password(authctxt, "")) && authctxt->valid;	124	return PRIVSEP(auth_password(authctxt, "")) && authctxt->valid;
104	}	125	}
105		126

Lines 213-227 Link Here

(-)openssh.orig/auth-pam.c (-3 / +3 lines)
213	__pampasswd = password;	213	__pampasswd = password;
214		214
215	pamstate = INITIAL_LOGIN;	215	pamstate = INITIAL_LOGIN;
216	pam_retval = do_pam_authenticate(	216	pam_retval = do_pam_authenticate(
217	options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0);	217	options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0);
218	if (pam_retval == PAM_SUCCESS && pw) {	218	if (pam_retval == PAM_SUCCESS) {
219	debug("PAM password authentication accepted for "	219	debug("PAM password authentication accepted for "
220	"%.100s", pw->pw_name);	220	"%.100s", authctxt->user);
221	return 1;	221	return 1;
222	} else {	222	} else {
223	debug("PAM password authentication failed for "	223	debug("PAM password authentication failed for "
224	"%.100s: %s", pw ? pw->pw_name : "an illegal user",	224	"%s%.100s: %s", pw ? "" : "illegal user ", authctxt->user,
225	PAM_STRERROR(__pamh, pam_retval));	225	PAM_STRERROR(__pamh, pam_retval));
226	return 0;	226	return 0;
227	}	227	}