author | Tomas Kuthan <tomas.kuthan@oracle.com> |
Tue, 20 Sep 2016 03:54:40 -0700 | |
changeset 6931 | f6f7269f85a9 |
parent 6930 | 31ef2580c45d |
permissions | -rw-r--r-- |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
1 |
# |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
2 |
# This patch contains an important bug fix for the PAM password userauth |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
3 |
# conversation function. This bug fix was contributed back to the upstream in |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
4 |
# 2009, but it was not accepted by the upstream. For more information, see |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
5 |
# https://bugzilla.mindrot.org/show_bug.cgi?id=1681. |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
6 |
# |
6930
31ef2580c45d
24525860 upgrade OpenSSH to 7.3p1
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
2206
diff
changeset
|
7 |
--- orig/auth-pam.c Mon Aug 15 16:16:17 2016 |
31ef2580c45d
24525860 upgrade OpenSSH to 7.3p1
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
2206
diff
changeset
|
8 |
+++ new/auth-pam.c Mon Aug 15 16:26:40 2016 |
31ef2580c45d
24525860 upgrade OpenSSH to 7.3p1
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
2206
diff
changeset
|
9 |
@@ -1138,11 +1138,13 @@ |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
10 |
free(env); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
11 |
} |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
12 |
|
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
13 |
+#ifndef PAM_BUGFIX |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
14 |
/* |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
15 |
* "Blind" conversation function for password authentication. Assumes that |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
16 |
* echo-off prompts are for the password and stores messages for later |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
17 |
* display. |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
18 |
*/ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
19 |
+#endif |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
20 |
static int |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
21 |
sshpam_passwd_conv(int n, sshpam_const struct pam_message **msg, |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
22 |
struct pam_response **resp, void *data) |
6930
31ef2580c45d
24525860 upgrade OpenSSH to 7.3p1
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
2206
diff
changeset
|
23 |
@@ -1164,6 +1166,17 @@ |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
24 |
for (i = 0; i < n; ++i) { |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
25 |
switch (PAM_MSG_MEMBER(msg, i, msg_style)) { |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
26 |
case PAM_PROMPT_ECHO_OFF: |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
27 |
+#ifdef PAM_BUGFIX |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
28 |
+ /* |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
29 |
+ * PAM conversation function for the password userauth |
6930
31ef2580c45d
24525860 upgrade OpenSSH to 7.3p1
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
2206
diff
changeset
|
30 |
+ * method (non-interactive) really cannot do any |
31ef2580c45d
24525860 upgrade OpenSSH to 7.3p1
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
2206
diff
changeset
|
31 |
+ * prompting. We set the PAM_AUTHTOK item in |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
32 |
+ * sshpam_auth_passwd()to avoid conversation. If some |
6930
31ef2580c45d
24525860 upgrade OpenSSH to 7.3p1
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
2206
diff
changeset
|
33 |
+ * modules still try to converse, then the password |
31ef2580c45d
24525860 upgrade OpenSSH to 7.3p1
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
2206
diff
changeset
|
34 |
+ * userauth will fail. |
31ef2580c45d
24525860 upgrade OpenSSH to 7.3p1
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
2206
diff
changeset
|
35 |
+ */ |
31ef2580c45d
24525860 upgrade OpenSSH to 7.3p1
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
2206
diff
changeset
|
36 |
+ goto fail; |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
37 |
+#else |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
38 |
if (sshpam_password == NULL) |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
39 |
goto fail; |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
40 |
if ((reply[i].resp = strdup(sshpam_password)) == NULL) |
6930
31ef2580c45d
24525860 upgrade OpenSSH to 7.3p1
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
2206
diff
changeset
|
41 |
@@ -1170,6 +1183,7 @@ |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
42 |
goto fail; |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
43 |
reply[i].resp_retcode = PAM_SUCCESS; |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
44 |
break; |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
45 |
+#endif |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
46 |
case PAM_ERROR_MSG: |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
47 |
case PAM_TEXT_INFO: |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
48 |
len = strlen(PAM_MSG_MEMBER(msg, i, msg)); |
6930
31ef2580c45d
24525860 upgrade OpenSSH to 7.3p1
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
2206
diff
changeset
|
49 |
@@ -1205,6 +1219,9 @@ |
2206
e71c20dca64b
19591379 X11Forwarding and ForwardX11Trusted should default to yes
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
50 |
int |
e71c20dca64b
19591379 X11Forwarding and ForwardX11Trusted should default to yes
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
51 |
sshpam_auth_passwd(Authctxt *authctxt, const char *password) |
e71c20dca64b
19591379 X11Forwarding and ForwardX11Trusted should default to yes
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
52 |
{ |
e71c20dca64b
19591379 X11Forwarding and ForwardX11Trusted should default to yes
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
53 |
+#ifdef PAM_BUGFIX |
e71c20dca64b
19591379 X11Forwarding and ForwardX11Trusted should default to yes
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
54 |
+ int set_item_rtn; |
e71c20dca64b
19591379 X11Forwarding and ForwardX11Trusted should default to yes
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
55 |
+#endif |
e71c20dca64b
19591379 X11Forwarding and ForwardX11Trusted should default to yes
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
56 |
int flags = (options.permit_empty_passwd == 0 ? |
e71c20dca64b
19591379 X11Forwarding and ForwardX11Trusted should default to yes
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
57 |
PAM_DISALLOW_NULL_AUTHTOK : 0); |
6930
31ef2580c45d
24525860 upgrade OpenSSH to 7.3p1
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
2206
diff
changeset
|
58 |
char *fake = NULL; |
31ef2580c45d
24525860 upgrade OpenSSH to 7.3p1
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
2206
diff
changeset
|
59 |
@@ -1225,6 +1242,15 @@ |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
60 |
options.permit_root_login != PERMIT_YES)) |
6930
31ef2580c45d
24525860 upgrade OpenSSH to 7.3p1
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
2206
diff
changeset
|
61 |
sshpam_password = fake = fake_password(password); |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
62 |
|
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
63 |
+#ifdef PAM_BUGFIX |
6931
f6f7269f85a9
24597931 PAM_BUGFIX by-passes fake password for timing attack avoidance
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
6930
diff
changeset
|
64 |
+ sshpam_err = pam_set_item(sshpam_handle, PAM_AUTHTOK, sshpam_password); |
6930
31ef2580c45d
24525860 upgrade OpenSSH to 7.3p1
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
2206
diff
changeset
|
65 |
+ if (sshpam_err != PAM_SUCCESS) { |
31ef2580c45d
24525860 upgrade OpenSSH to 7.3p1
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
2206
diff
changeset
|
66 |
+ debug("PAM: %s: failed to set PAM_AUTHTOK: %s", __func__, |
31ef2580c45d
24525860 upgrade OpenSSH to 7.3p1
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
2206
diff
changeset
|
67 |
+ pam_strerror(sshpam_handle, sshpam_err)); |
31ef2580c45d
24525860 upgrade OpenSSH to 7.3p1
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
2206
diff
changeset
|
68 |
+ return 0; |
31ef2580c45d
24525860 upgrade OpenSSH to 7.3p1
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
2206
diff
changeset
|
69 |
+ } |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
70 |
+#endif |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
71 |
+ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
72 |
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
73 |
(const void *)&passwd_conv); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
74 |
if (sshpam_err != PAM_SUCCESS) |
6930
31ef2580c45d
24525860 upgrade OpenSSH to 7.3p1
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
2206
diff
changeset
|
75 |
@@ -1236,6 +1262,16 @@ |
31ef2580c45d
24525860 upgrade OpenSSH to 7.3p1
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
2206
diff
changeset
|
76 |
free(fake); |
31ef2580c45d
24525860 upgrade OpenSSH to 7.3p1
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
2206
diff
changeset
|
77 |
if (sshpam_err == PAM_MAXTRIES) |
31ef2580c45d
24525860 upgrade OpenSSH to 7.3p1
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
2206
diff
changeset
|
78 |
sshpam_set_maxtries_reached(1); |
2206
e71c20dca64b
19591379 X11Forwarding and ForwardX11Trusted should default to yes
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
79 |
+ |
e71c20dca64b
19591379 X11Forwarding and ForwardX11Trusted should default to yes
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
80 |
+#ifdef PAM_BUGFIX |
e71c20dca64b
19591379 X11Forwarding and ForwardX11Trusted should default to yes
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
81 |
+ set_item_rtn = pam_set_item(sshpam_handle, PAM_AUTHTOK, NULL); |
6930
31ef2580c45d
24525860 upgrade OpenSSH to 7.3p1
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
2206
diff
changeset
|
82 |
+ if (set_item_rtn != PAM_SUCCESS) { |
31ef2580c45d
24525860 upgrade OpenSSH to 7.3p1
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
2206
diff
changeset
|
83 |
+ debug("PAM: %s: failed to set PAM_AUTHTOK: %s", __func__, |
31ef2580c45d
24525860 upgrade OpenSSH to 7.3p1
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
2206
diff
changeset
|
84 |
+ pam_strerror(sshpam_handle, set_item_rtn)); |
31ef2580c45d
24525860 upgrade OpenSSH to 7.3p1
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
2206
diff
changeset
|
85 |
+ return 0; |
31ef2580c45d
24525860 upgrade OpenSSH to 7.3p1
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
2206
diff
changeset
|
86 |
+ } |
2206
e71c20dca64b
19591379 X11Forwarding and ForwardX11Trusted should default to yes
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
87 |
+#endif |
e71c20dca64b
19591379 X11Forwarding and ForwardX11Trusted should default to yes
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
88 |
+ |
e71c20dca64b
19591379 X11Forwarding and ForwardX11Trusted should default to yes
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
89 |
if (sshpam_err == PAM_SUCCESS && authctxt->valid) { |
e71c20dca64b
19591379 X11Forwarding and ForwardX11Trusted should default to yes
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
90 |
debug("PAM: password authentication accepted for %.100s", |
e71c20dca64b
19591379 X11Forwarding and ForwardX11Trusted should default to yes
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
91 |
authctxt->user); |