mirror of
git://anongit.mindrot.org/openssh.git
synced 2024-12-22 10:00:14 +00:00
- djm@cvs.openbsd.org 2004/12/22 02:13:19
[cipher-ctr.c cipher.c] remove fallback AES support for old OpenSSL, as OpenBSD has had it for many years now; ok deraadt@ (Id sync only: Portable will continue to support older OpenSSLs)
This commit is contained in:
parent
36a3d60347
commit
d231186fd0
@ -30,6 +30,11 @@
|
||||
behaviour for bsdauth is maintained by checking authctxt->valid in the
|
||||
bsdauth driver. Note that any third-party kbdint drivers will now need
|
||||
to be able to handle responses for invalid logins. ok markus@
|
||||
- djm@cvs.openbsd.org 2004/12/22 02:13:19
|
||||
[cipher-ctr.c cipher.c]
|
||||
remove fallback AES support for old OpenSSL, as OpenBSD has had it for
|
||||
many years now; ok deraadt@
|
||||
(Id sync only: Portable will continue to support older OpenSSLs)
|
||||
- (dtucker) [auth-pam.c] Bug #971: Prevent leaking information about user
|
||||
existence via keyboard-interactive/pam, in conjunction with previous
|
||||
auth2-chall.c change; with Colin Watson and djm.
|
||||
@ -2005,4 +2010,4 @@
|
||||
- (djm) Trim deprecated options from INSTALL. Mention UsePAM
|
||||
- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
|
||||
|
||||
$Id: ChangeLog,v 1.3617 2005/01/20 01:43:38 dtucker Exp $
|
||||
$Id: ChangeLog,v 1.3618 2005/01/20 02:27:56 dtucker Exp $
|
||||
|
26
auth-pam.c
26
auth-pam.c
@ -47,7 +47,7 @@
|
||||
|
||||
/* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
|
||||
#include "includes.h"
|
||||
RCSID("$Id: auth-pam.c,v 1.119 2005/01/20 01:43:39 dtucker Exp $");
|
||||
RCSID("$Id: auth-pam.c,v 1.120 2005/01/20 02:27:56 dtucker Exp $");
|
||||
|
||||
#ifdef USE_PAM
|
||||
#if defined(HAVE_SECURITY_PAM_APPL_H)
|
||||
@ -245,6 +245,17 @@ sshpam_password_change_required(int reqd)
|
||||
}
|
||||
}
|
||||
|
||||
/* Check ssh internal flags in addition to PAM */
|
||||
|
||||
static int
|
||||
sshpam_login_allowed(Authctxt *ctxt)
|
||||
{
|
||||
if (ctxt->valid && (ctxt->pw->pw_uid != 0 ||
|
||||
options.permit_root_login == PERMIT_YES))
|
||||
return 1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* Import regular and PAM environment from subprocess */
|
||||
static void
|
||||
import_environments(Buffer *b)
|
||||
@ -702,9 +713,7 @@ sshpam_query(void *ctx, char **name, char **info,
|
||||
**prompts = NULL;
|
||||
}
|
||||
if (type == PAM_SUCCESS) {
|
||||
if (!sshpam_authctxt->valid ||
|
||||
(sshpam_authctxt->pw->pw_uid == 0 &&
|
||||
options.permit_root_login != PERMIT_YES))
|
||||
if (!sshpam_login_allowed(sshpam_authctxt))
|
||||
fatal("Internal error: PAM auth "
|
||||
"succeeded when it should have "
|
||||
"failed");
|
||||
@ -753,9 +762,7 @@ sshpam_respond(void *ctx, u_int num, char **resp)
|
||||
return (-1);
|
||||
}
|
||||
buffer_init(&buffer);
|
||||
if (sshpam_authctxt->valid &&
|
||||
(sshpam_authctxt->pw->pw_uid != 0 ||
|
||||
options.permit_root_login == PERMIT_YES))
|
||||
if (sshpam_login_allowed(sshpam_authctxt))
|
||||
buffer_put_cstring(&buffer, *resp);
|
||||
else
|
||||
buffer_put_cstring(&buffer, badpw);
|
||||
@ -1118,8 +1125,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
|
||||
* by PermitRootLogin, use an invalid password to prevent leaking
|
||||
* information via timing (eg if the PAM config has a delay on fail).
|
||||
*/
|
||||
if (!authctxt->valid || (authctxt->pw->pw_uid == 0 &&
|
||||
options.permit_root_login != PERMIT_YES))
|
||||
if (!sshpam_login_allowed(authctxt))
|
||||
sshpam_password = badpw;
|
||||
|
||||
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
|
||||
@ -1130,7 +1136,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
|
||||
|
||||
sshpam_err = pam_authenticate(sshpam_handle, flags);
|
||||
sshpam_password = NULL;
|
||||
if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
|
||||
if (sshpam_err == PAM_SUCCESS && sshpam_login_allowed(authctxt)) {
|
||||
debug("PAM: password authentication accepted for %.100s",
|
||||
authctxt->user);
|
||||
return 1;
|
||||
|
@ -14,7 +14,7 @@
|
||||
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: cipher-ctr.c,v 1.4 2004/02/06 23:41:13 dtucker Exp $");
|
||||
RCSID("$OpenBSD: cipher-ctr.c,v 1.5 2004/12/22 02:13:19 djm Exp $");
|
||||
|
||||
#include <openssl/evp.h>
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user