|
1 # |
|
2 # This patch contains bug fixes to the PAM credential and session operations. |
|
3 # In the original OpenSSH, the server only gives warnings and still allows |
|
4 # users to log in when pam_setcred() or pam_open_session() fail, if user auth |
|
5 # method is not keyboard-interactive or password. This is not a correct |
|
6 # behavior. The server should just fatal out, when these functions fail. |
|
7 # |
|
8 # We have contributed back these bug fixes to the OpenSSH upstream community. |
|
9 # For more information, see https://bugzilla.mindrot.org/show_bug.cgi?id=2399 |
|
10 # In the future, if these bug fixes are accepted by the upsteam in a later |
|
11 # release, we will remove this patch when we upgrade to that release. |
|
12 # |
|
13 --- orig/auth-pam.c Tue May 12 12:57:25 2015 |
|
14 +++ new/auth-pam.c Thu May 14 15:21:54 2015 |
|
15 @@ -950,6 +950,12 @@ |
|
16 sshpam_cred_established = 1; |
|
17 return; |
|
18 } |
|
19 + |
|
20 +#ifdef PAM_BUGFIX |
|
21 + /* Server will fatal out when pam_setcred() failed. */ |
|
22 + fatal("PAM: pam_setcred(): %s", pam_strerror(sshpam_handle, |
|
23 + sshpam_err)); |
|
24 +#else /* orig */ |
|
25 if (sshpam_authenticated) |
|
26 fatal("PAM: pam_setcred(): %s", |
|
27 pam_strerror(sshpam_handle, sshpam_err)); |
|
28 @@ -956,6 +962,7 @@ |
|
29 else |
|
30 debug("PAM: pam_setcred(): %s", |
|
31 pam_strerror(sshpam_handle, sshpam_err)); |
|
32 +#endif /* PAM_BUGFIX */ |
|
33 } |
|
34 |
|
35 static int |
|
36 @@ -1048,10 +1055,16 @@ |
|
37 if (sshpam_err == PAM_SUCCESS) |
|
38 sshpam_session_open = 1; |
|
39 else { |
|
40 +#ifdef PAM_BUGFIX |
|
41 + /* Server will fatal out when pam_open_session() failed */ |
|
42 + fatal("PAM: pam_open_session(): %s", |
|
43 + pam_strerror(sshpam_handle, sshpam_err)); |
|
44 +#else /* orig */ |
|
45 sshpam_session_open = 0; |
|
46 disable_forwarding(); |
|
47 error("PAM: pam_open_session(): %s", |
|
48 pam_strerror(sshpam_handle, sshpam_err)); |
|
49 +#endif /* PAM_BUGFIX */ |
|
50 } |
|
51 |
|
52 } |