- (dtucker) [auth-pam.c] Bug #559 (last piece): Pass DISALLOW_NULL_AUTHTOK

to pam_authenticate for challenge-response auth too.  Originally from
   fcusack at fcusack.com, ok djm@

ChangeLog

@@ -3,6 +3,9 @@
    Ensures messages from PAM modules are displayed when privsep=no.
  - (dtucker) [auth-pam.c] Bug #705: Make arguments match PAM specs, fixes
    warnings on compliant platforms.  From paul.a.bolton at bt.com.  ok djm@
+ - (dtucker) [auth-pam.c] Bug #559 (last piece): Pass DISALLOW_NULL_AUTHTOK
+   to pam_authenticate for challenge-response auth too.  Originally from
+   fcusack at fcusack.com, ok djm@
 
 20040630
  - (dtucker) [auth-pam.c] Check for buggy PAM modules that return a NULL
@@ -1471,4 +1474,4 @@
    - (djm) Trim deprecated options from INSTALL. Mention UsePAM
    - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
 
-$Id: ChangeLog,v 1.3465 2004/07/01 02:38:14 dtucker Exp $
+$Id: ChangeLog,v 1.3466 2004/07/01 04:00:14 dtucker Exp $

auth-pam.c

@@ -47,7 +47,7 @@
 
 /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
 #include "includes.h"
-RCSID("$Id: auth-pam.c,v 1.109 2004/07/01 02:38:15 dtucker Exp $");
+RCSID("$Id: auth-pam.c,v 1.110 2004/07/01 04:00:15 dtucker Exp $");
 
 #ifdef USE_PAM
 #if defined(HAVE_SECURITY_PAM_APPL_H)
@@ -356,6 +356,8 @@ sshpam_thread(void *ctxtp)
 	struct pam_ctxt *ctxt = ctxtp;
 	Buffer buffer;
 	struct pam_conv sshpam_conv;
+	int flags = (options.permit_empty_passwd == 0 ?
+	    PAM_DISALLOW_NULL_AUTHTOK : 0);
 #ifndef USE_POSIX_THREADS
 	extern char **environ;
 	char **env_from_pam;
@@ -378,7 +380,7 @@ sshpam_thread(void *ctxtp)
 	    (const void *)&sshpam_conv);
 	if (sshpam_err != PAM_SUCCESS)
 		goto auth_fail;
-	sshpam_err = pam_authenticate(sshpam_handle, 0);
+	sshpam_err = pam_authenticate(sshpam_handle, flags);
 	if (sshpam_err != PAM_SUCCESS)
 		goto auth_fail;