Mercurial Mercurial > upstream > oracle > userland-gate / annotate
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/openssh/patches/015-pam_conversation_fix.patch
author Jan Parcel <jan.parcel@oracle.com>
Wed, 16 Nov 2016 12:17:49 -0800
branchs11u3-sru
changeset 7320 edeb951aa980
parent 3946 b1e0e68de63b
permissions -rw-r--r--
24525860 upgrade OpenSSH to 7.3p1 24320031 problem in UTILITY/OPENSSH 24461706 problem in UTILITY/OPENSSH 24752716 Eliminate hard-to-maintain manpages section-number patch in openssh 11.3SRU 15366793 sshd calls pam_authenticate() for none method if PermitEmptyPasswords=yes 24597931 PAM_BUGFIX by-passes fake password for timing attack avoidance 23223069 problem in UTILITY/OPENSSH 24923674 problem in UTILITY/OPENSSH 23577308 OpenSSH Makefile: -DWITHOUT_ED25519 left behind 23140756 openssh passes bad option to configure (--with-tcp-wrappers) 24301902 Log connections dropped when exceeding MaxStartups
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
3946
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
     1
 
#
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
     2
 
# This patch contains an important bug fix for the PAM password userauth
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
     3
 
# conversation function. This bug fix was contributed back to the upstream in
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
     4
 
# 2009, but it was not accepted by the upstream.  For more information, see
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
     5
 
# https://bugzilla.mindrot.org/show_bug.cgi?id=1681.
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
     6
 
#
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 3946
diff changeset 
     7
 
--- orig/auth-pam.c	Mon Aug 15 16:16:17 2016
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 3946
diff changeset 
     8
 
+++ new/auth-pam.c	Mon Aug 15 16:26:40 2016
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 3946
diff changeset 
     9
 
@@ -1138,11 +1138,13 @@
3946
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    10
 
 	free(env);
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    11
 
 }
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    12
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    13
 
+#ifndef PAM_BUGFIX
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    14
 
 /*
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    15
 
  * "Blind" conversation function for password authentication.  Assumes that
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    16
 
  * echo-off prompts are for the password and stores messages for later
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    17
 
  * display.
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    18
 
  */
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    19
 
+#endif
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    20
 
 static int
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    21
 
 sshpam_passwd_conv(int n, sshpam_const struct pam_message **msg,
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    22
 
     struct pam_response **resp, void *data)
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 3946
diff changeset 
    23
 
@@ -1164,6 +1166,17 @@
3946
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    24
 
 	for (i = 0; i < n; ++i) {
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    25
 
 		switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    26
 
 		case PAM_PROMPT_ECHO_OFF:
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    27
 
+#ifdef PAM_BUGFIX
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    28
 
+                       /*
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    29
 
+                        * PAM conversation function for the password userauth
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 3946
diff changeset 
    30
 
+                        * method (non-interactive) really cannot do any
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 3946
diff changeset 
    31
 
+                        * prompting.  We set the PAM_AUTHTOK item in
3946
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    32
 
+                        * sshpam_auth_passwd()to avoid conversation. If some
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 3946
diff changeset 
    33
 
+                        * modules still try to converse, then the password
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 3946
diff changeset 
    34
 
+                        * userauth will fail.
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 3946
diff changeset 
    35
 
+                        */
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 3946
diff changeset 
    36
 
+                        goto fail;
3946
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    37
 
+#else
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    38
 
 			if (sshpam_password == NULL)
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    39
 
 				goto fail;
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    40
 
 			if ((reply[i].resp = strdup(sshpam_password)) == NULL)
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 3946
diff changeset 
    41
 
@@ -1170,6 +1183,7 @@
3946
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    42
 
 				goto fail;
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    43
 
 			reply[i].resp_retcode = PAM_SUCCESS;
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    44
 
 			break;
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    45
 
+#endif
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    46
 
 		case PAM_ERROR_MSG:
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    47
 
 		case PAM_TEXT_INFO:
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    48
 
 			len = strlen(PAM_MSG_MEMBER(msg, i, msg));
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 3946
diff changeset 
    49
 
@@ -1205,6 +1219,9 @@
3946
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    50
 
 int
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    51
 
 sshpam_auth_passwd(Authctxt *authctxt, const char *password)
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    52
 
 {
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    53
 
+#ifdef PAM_BUGFIX
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    54
 
+        int set_item_rtn;
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    55
 
+#endif
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    56
 
 	int flags = (options.permit_empty_passwd == 0 ?
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    57
 
 	    PAM_DISALLOW_NULL_AUTHTOK : 0);
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 3946
diff changeset 
    58
 
 	char *fake = NULL;
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 3946
diff changeset 
    59
 
@@ -1225,6 +1242,15 @@
3946
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    60
 
 	    options.permit_root_login != PERMIT_YES))
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 3946
diff changeset 
    61
 
 		sshpam_password = fake = fake_password(password);
3946
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    62
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    63
 
+#ifdef PAM_BUGFIX
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 3946
diff changeset 
    64
 
+        sshpam_err = pam_set_item(sshpam_handle, PAM_AUTHTOK, sshpam_password);
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 3946
diff changeset 
    65
 
+        if (sshpam_err != PAM_SUCCESS) {
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 3946
diff changeset 
    66
 
+                debug("PAM: %s: failed to set PAM_AUTHTOK: %s", __func__,
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 3946
diff changeset 
    67
 
+                    pam_strerror(sshpam_handle, sshpam_err));
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 3946
diff changeset 
    68
 
+                return 0;
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 3946
diff changeset 
    69
 
+        }
3946
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    70
 
+#endif
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    71
 
+
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    72
 
 	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    73
 
 	    (const void *)&passwd_conv);
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    74
 
 	if (sshpam_err != PAM_SUCCESS)
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 3946
diff changeset 
    75
 
@@ -1236,6 +1262,16 @@
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 3946
diff changeset 
    76
 
 	free(fake);
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 3946
diff changeset 
    77
 
 	if (sshpam_err == PAM_MAXTRIES)
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 3946
diff changeset 
    78
 
 		sshpam_set_maxtries_reached(1);
3946
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    79
 
+
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    80
 
+#ifdef PAM_BUGFIX
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    81
 
+        set_item_rtn = pam_set_item(sshpam_handle, PAM_AUTHTOK, NULL);
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 3946
diff changeset 
    82
 
+        if (set_item_rtn != PAM_SUCCESS) {
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 3946
diff changeset 
    83
 
+                debug("PAM: %s: failed to set PAM_AUTHTOK: %s", __func__,
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 3946
diff changeset 
    84
 
+                    pam_strerror(sshpam_handle, set_item_rtn));
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 3946
diff changeset 
    85
 
+                return 0;
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 3946
diff changeset 
    86
 
+        }
3946
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    87
 
+#endif
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    88
 
+
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    89
 
 	if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    90
 
 		debug("PAM: password authentication accepted for %.100s",
b1e0e68de63b PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset 
    91
 
 		    authctxt->user);
upstream/oracle/userland-gate