Attachment 289 Details for Bug 559 – PAM patches

[patch] PAM patches

pam.patch (text/plain), 3.83 KB, created by Frank Cusack on 2003-05-12 13:55:53 AEST

(hide)

Description:

Filename:

MIME Type:

Creator: Frank Cusack

Created: 2003-05-12 13:55:53 AEST

Size: 3.83 KB

patch

obsolete

>--- openssh.orig/auth1.c	Sun Feb 23 16:59:27 2003
>+++ openssh/auth1.c	Sun May 11 00:11:43 2003
>@@ -81,6 +81,9 @@
> 
> 	/* If the user has no password, accept authentication immediately. */
> 	if (options.password_authentication &&
>+#ifdef USE_PAM
>+	    options.permit_empty_passwd &&
>+#endif
> #if defined(KRB4) || defined(KRB5)
> 	    (!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
> #endif
>@@ -400,11 +414,11 @@
> 	else
> 		debug("do_authentication: illegal user %s", user);
> 
>-	setproctitle("%s%s", authctxt->pw ? user : "unknown",
>+	setproctitle("%s%s", user,
> 	    use_privsep ? " [net]" : "");
> 
> #ifdef USE_PAM
>-	PRIVSEP(start_pam(authctxt->pw == NULL ? "NOUSER" : user));
>+	PRIVSEP(start_pam(user));
> #endif
> 
> 	/*
>--- openssh.orig/auth-pam.c	Tue Apr 29 02:12:08 2003
>+++ openssh/auth-pam.c	Fri May  2 17:55:20 2003
>@@ -213,15 +213,15 @@
> 	__pampasswd = password;
> 
> 	pamstate = INITIAL_LOGIN;
> 	pam_retval = do_pam_authenticate(
> 	    options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0);
>-	if (pam_retval == PAM_SUCCESS && pw) {
>+	if (pam_retval == PAM_SUCCESS) {
> 		debug("PAM password authentication accepted for "
>-		    "%.100s", pw->pw_name);
>+		    "%.100s", authctxt->user);
> 		return 1;
> 	} else {
> 		debug("PAM password authentication failed for "
>-		    "%.100s: %s", pw ? pw->pw_name : "an illegal user",
>+		    "%s%.100s: %s", pw ? "" : "illegal user ", authctxt->user,
> 		    PAM_STRERROR(__pamh, pam_retval));
> 		return 0;
> 	}
>--- openssh.orig/auth2.c	Sun Feb 23 16:59:27 2003
>+++ openssh/auth2.c	Thu May  1 22:27:29 2003
>@@ -162,7 +162,8 @@
> 		} else {
> 			log("input_userauth_request: illegal user %s", user);
> #ifdef USE_PAM
>-			PRIVSEP(start_pam("NOUSER"));
>+			PRIVSEP(start_pam(user));
>+			authenticated = -1;	/* signal illegal user */
> #endif
> 		}
> 		setproctitle("%s%s", authctxt->pw ? user : "unknown",
>@@ -185,9 +186,14 @@
> 	/* try to authenticate user */
> 	m = authmethod_lookup(method);
> 	if (m != NULL) {
>+		int r;
>+
> 		debug2("input_userauth_request: try method %s", method);
>-		authenticated =	m->userauth(authctxt);
>-	}
>+		r = m->userauth(authctxt);
>+		authenticated = authenticated != -1 ? r : 0;
>+	} else
>+		authenticated = 0;
>+
> 	userauth_finish(authctxt, authenticated, method);
> 
> 	xfree(service);
>@@ -223,7 +229,15 @@
> #endif /* _UNICOS */
> 
> 	/* Log before sending the reply */
>-	auth_log(authctxt, authenticated, method, " ssh2");
>+	/*
>+	 * With an exception: don't log 'none' failures if empty passwords
>+	 * are not allowed; the openssh client ALWAYS requests none just
>+	 * to get the list of auth methods, so this is too noisy.
>+	 */
>+	if (!(!strcmp(method, "none") &&		/* method 'none' */
>+	      !options.permit_empty_passwd &&		/* none !allowed */
>+	      !authenticated))				/* failed auth   */
>+		auth_log(authctxt, authenticated, method, " ssh2");
> 
> 	if (authctxt->postponed)
> 		return;
>--- openssh.orig/auth2-none.c	Tue Apr 29 02:12:08 2003
>+++ openssh/auth2-none.c	Sun May 11 00:10:49 2003
>@@ -100,6 +100,27 @@
> 	if (check_nt_auth(1, authctxt->pw) == 0)
> 		return(0);
> #endif
>+
>+#ifdef USE_PAM
>+	/*
>+	 * REDACTED
>+	 * REDACTED
>+	 * REDACTED
>+	 * REDACTED
>+	 * REDACTED
>+	 * REDACTED
>+	 * REDACTED
>+	 * REDACTED
>+	 * REDACTED
>+	 * REDACTED
>+	 * REDACTED
>+	 * REDACTED
>+	 * REDACTED
>+	 */
>+	if (!options.password_authentication || !options.permit_empty_passwd)
>+		return(0);
>+#endif
>+
> 	return PRIVSEP(auth_password(authctxt, "")) && authctxt->valid;
> }
> 
>--- openssh.orig/auth2-pam.c	Tue Jan  7 17:37:03 2003
>+++ openssh/auth2-pam.c	Sun May 11 00:10:49 2003
>@@ -42,7 +42,9 @@
> 
> 	dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE,
> 	    &input_userauth_info_response_pam);
>-	retval = (do_pam_authenticate(0) == PAM_SUCCESS);
>+	retval = (do_pam_authenticate(options.permit_empty_passwd == 0
>+				      ? PAM_DISALLOW_NULL_AUTHTOK
>+				      : 0) == PAM_SUCCESS);
> 	dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
> 
> 	return retval;

Actions: View | Diff

Attachments on bug 559: 289 | 292 | 675