equal
deleted
inserted
replaced
|
1 # |
|
2 # This is to fix a keyboard-interactive authentication brute force |
|
3 # vulnerability (MaxAuthTries bypass). A CVE number (CVE-2015-5600) has been |
|
4 # reserved for this problem, but not officially issued yet. This fix came from |
|
5 # OpenSSH upstream, which will be included in the future OpenSSH 7.0p1 release. |
|
6 # When we upgrade OpenSSH to 7.0 in the future, we will remove this patch. |
|
7 # |
|
8 --- a/auth2-chall.c Mon Aug 3 15:25:43 2015 |
|
9 +++ b/auth2-chall.c Mon Aug 3 15:28:17 2015 |
|
10 @@ -82,6 +82,7 @@ |
|
11 void *ctxt; |
|
12 KbdintDevice *device; |
|
13 u_int nreq; |
|
14 + u_int devices_done; |
|
15 }; |
|
16 |
|
17 #ifdef USE_PAM |
|
18 @@ -168,11 +169,15 @@ |
|
19 if (len == 0) |
|
20 break; |
|
21 for (i = 0; devices[i]; i++) { |
|
22 - if (!auth2_method_allowed(authctxt, |
|
23 + if ((kbdintctxt->devices_done & (1 << i)) != 0 || |
|
24 + !auth2_method_allowed(authctxt, |
|
25 "keyboard-interactive", devices[i]->name)) |
|
26 continue; |
|
27 - if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0) |
|
28 + if (strncmp(kbdintctxt->devices, devices[i]->name, |
|
29 + len) == 0) { |
|
30 kbdintctxt->device = devices[i]; |
|
31 + kbdintctxt->devices_done |= 1 << i; |
|
32 + } |
|
33 } |
|
34 t = kbdintctxt->devices; |
|
35 kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL; |