Attachment #292 for bug #559

Lines 81-86 do_authloop(Authctxt *authctxt) Link Here

(-)openssh.orig/auth1.c (-1 / +4 lines)
81		81
82	/* If the user has no password, accept authentication immediately. */	82	/* If the user has no password, accept authentication immediately. */
83	if (options.password_authentication &&	83	if (options.password_authentication &&
		84	#ifdef USE_PAM
		85	options.permit_empty_passwd &&
		86	#endif
84	#if defined(KRB4) \|\| defined(KRB5)	87	#if defined(KRB4) \|\| defined(KRB5)
85	(!options.kerberos_authentication \|\| options.kerberos_or_local_passwd) &&	88	(!options.kerberos_authentication \|\| options.kerberos_or_local_passwd) &&
86	#endif	89	#endif
Lines 404-410 do_authentication(void) Link Here
404	use_privsep ? " [net]" : "");	418	use_privsep ? " [net]" : "");
405		419
406	#ifdef USE_PAM	420	#ifdef USE_PAM
407	PRIVSEP(start_pam(authctxt->pw == NULL ? "NOUSER" : user));	421	PRIVSEP(start_pam(user));
408	#endif	422	#endif
409		423
410	/*	424	/*




	__pampasswd = password;

	pamstate = INITIAL_LOGIN;
	pam_retval = do_pam_authenticate(
	    options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0);
	if (pam_retval == PAM_SUCCESS) {
		debug("PAM password authentication accepted for "
		    "%.100s", authctxt->user);
		return 1;
	} else {
		debug("PAM password authentication failed for "
		    "%s%.100s: %s", pw ? "" : "illegal user ", authctxt->user,
		    PAM_STRERROR(__pamh, pam_retval));
		return 0;
	}




		} else {
			log("input_userauth_request: illegal user %s", user);
#ifdef USE_PAM
			PRIVSEP(start_pam(user));
#endif
		}
		setproctitle("%s%s", authctxt->pw ? user : "unknown",

	m = authmethod_lookup(method);
	if (m != NULL) {
		debug2("input_userauth_request: try method %s", method);
		authenticated = m->userauth(authctxt) && authctxt->valid;
	}
	userauth_finish(authctxt, authenticated, method);

	xfree(service);

#endif /* _UNICOS */

	/* Log before sending the reply */
	/*
	 * With an exception: don't log 'none' failures if empty passwords
	 * are not allowed; the openssh client ALWAYS requests none just
	 * to get the list of auth methods, so this is too noisy.
	 */
	if (!(!strcmp(method, "none") &&		/* method 'none' */
	      !options.permit_empty_passwd &&		/* none !allowed */
	      !authenticated))				/* failed auth   */
		auth_log(authctxt, authenticated, method, " ssh2");

	if (authctxt->postponed)
		return;




	if (check_nt_auth(1, authctxt->pw) == 0)
		return(0);
#endif

#ifdef USE_PAM
	/*
	 * REDACTED
	 * REDACTED
	 * REDACTED
	 * REDACTED
	 * REDACTED
	 * REDACTED
	 * REDACTED
	 * REDACTED
	 * REDACTED
	 * REDACTED
	 * REDACTED
	 * REDACTED
	 * REDACTED
	 */
	if (!options.password_authentication || !options.permit_empty_passwd)
		return(0);
#endif

	return PRIVSEP(auth_password(authctxt, "")) && authctxt->valid;
}


Lines 12-17 RCSID("$Id: auth2-pam.c,v 1.15 2003/01/0 Link Here

(-)openssh.orig/auth2-pam.c (-1 / +7 lines)
12	#include "xmalloc.h"	12	#include "xmalloc.h"
13	#include "dispatch.h"	13	#include "dispatch.h"
14	#include "log.h"	14	#include "log.h"
		15	#include "servconf.h"
		16
		17	/* import */
		18	extern ServerOptions options;
15		19
16	static int do_pam_conversation_kbd_int(int num_msg,	20	static int do_pam_conversation_kbd_int(int num_msg,
17	const struct pam_message msg, struct pam_response resp,	21	const struct pam_message msg, struct pam_response resp,
Lines 42-48 auth2_pam(Authctxt *authctxt) Link Here
42		46
43	dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE,	47	dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE,
44	&input_userauth_info_response_pam);	48	&input_userauth_info_response_pam);
45	retval = (do_pam_authenticate(0) == PAM_SUCCESS);	49	retval = (do_pam_authenticate(options.permit_empty_passwd == 0
		50	? PAM_DISALLOW_NULL_AUTHTOK
		51	: 0) == PAM_SUCCESS);
46	dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);	52	dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
47		53
48	return retval;	54	return retval;

Return to bug 559

Lines 213-227 int auth_pam_password(Authctxt *authctxt Link Here

(-)openssh.orig/auth-pam.c (-3 / +3 lines)
213	__pampasswd = password;	213	__pampasswd = password;
214		214
215	pamstate = INITIAL_LOGIN;	215	pamstate = INITIAL_LOGIN;
216	pam_retval = do_pam_authenticate(	216	pam_retval = do_pam_authenticate(
217	options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0);	217	options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0);
218	if (pam_retval == PAM_SUCCESS && pw) {	218	if (pam_retval == PAM_SUCCESS) {
219	debug("PAM password authentication accepted for "	219	debug("PAM password authentication accepted for "
220	"%.100s", pw->pw_name);	220	"%.100s", authctxt->user);
221	return 1;	221	return 1;
222	} else {	222	} else {
223	debug("PAM password authentication failed for "	223	debug("PAM password authentication failed for "
224	"%.100s: %s", pw ? pw->pw_name : "an illegal user",	224	"%s%.100s: %s", pw ? "" : "illegal user ", authctxt->user,
225	PAM_STRERROR(__pamh, pam_retval));	225	PAM_STRERROR(__pamh, pam_retval));
226	return 0;	226	return 0;
227	}	227	}

Lines 162-168 input_userauth_request(int type, u_int32 Link Here

(-)openssh.orig/auth2.c (-3 / +11 lines)
162	} else {	162	} else {
163	log("input_userauth_request: illegal user %s", user);	163	log("input_userauth_request: illegal user %s", user);
164	#ifdef USE_PAM	164	#ifdef USE_PAM
165	PRIVSEP(start_pam("NOUSER"));	165	PRIVSEP(start_pam(user));
166	#endif	166	#endif
167	}	167	}
168	setproctitle("%s%s", authctxt->pw ? user : "unknown",	168	setproctitle("%s%s", authctxt->pw ? user : "unknown",
Lines 186-193 input_userauth_request(int type, u_int32 Link Here
186	m = authmethod_lookup(method);	186	m = authmethod_lookup(method);
187	if (m != NULL) {	187	if (m != NULL) {
188	debug2("input_userauth_request: try method %s", method);	188	debug2("input_userauth_request: try method %s", method);
189	authenticated = m->userauth(authctxt);	189	authenticated = m->userauth(authctxt) && authctxt->valid;
190	}	190	}
191	userauth_finish(authctxt, authenticated, method);	191	userauth_finish(authctxt, authenticated, method);
192		192
193	xfree(service);	193	xfree(service);
Lines 223-229 userauth_finish(Authctxt *authctxt, int Link Here
223	#endif /* _UNICOS */	223	#endif /* _UNICOS */
224		224
225	/* Log before sending the reply */	225	/* Log before sending the reply */
226	auth_log(authctxt, authenticated, method, " ssh2");	226	/*
		227	* With an exception: don't log 'none' failures if empty passwords
		228	* are not allowed; the openssh client ALWAYS requests none just
		229	* to get the list of auth methods, so this is too noisy.
		230	*/
		231	if (!(!strcmp(method, "none") && /* method 'none' */
		232	!options.permit_empty_passwd && /* none !allowed */
		233	!authenticated)) /* failed auth */
		234	auth_log(authctxt, authenticated, method, " ssh2");
227		235
228	if (authctxt->postponed)	236	if (authctxt->postponed)
229	return;	237	return;

Lines 100-105 userauth_none(Authctxt *authctxt) Link Here

(-)openssh.orig/auth2-none.c (+21 lines)
100	if (check_nt_auth(1, authctxt->pw) == 0)	100	if (check_nt_auth(1, authctxt->pw) == 0)
101	return(0);	101	return(0);
102	#endif	102	#endif
		103
		104	#ifdef USE_PAM
		105	/*
		106	* REDACTED
		107	* REDACTED
		108	* REDACTED
		109	* REDACTED
		110	* REDACTED
		111	* REDACTED
		112	* REDACTED
		113	* REDACTED
		114	* REDACTED
		115	* REDACTED
		116	* REDACTED
		117	* REDACTED
		118	* REDACTED
		119	*/
		120	if (!options.password_authentication \|\| !options.permit_empty_passwd)
		121	return(0);
		122	#endif
		123
103	return PRIVSEP(auth_password(authctxt, "")) && authctxt->valid;	124	return PRIVSEP(auth_password(authctxt, "")) && authctxt->valid;
104	}	125	}
105		126