--- a/components/openssh/patches/015-pam_conversation_fix.patch Mon Sep 19 14:01:08 2016 -0700
+++ b/components/openssh/patches/015-pam_conversation_fix.patch Tue Sep 20 03:54:40 2016 -0700
@@ -4,9 +4,9 @@
# 2009, but it was not accepted by the upstream. For more information, see
# https://bugzilla.mindrot.org/show_bug.cgi?id=1681.
#
---- orig/auth-pam.c Mon Oct 27 14:40:01 2014
-+++ new/auth-pam.c Tue Oct 28 12:40:59 2014
-@@ -1111,11 +1111,13 @@
+--- orig/auth-pam.c Mon Aug 15 16:16:17 2016
++++ new/auth-pam.c Mon Aug 15 16:26:40 2016
+@@ -1138,11 +1138,13 @@
free(env);
}
@@ -20,25 +20,25 @@
static int
sshpam_passwd_conv(int n, sshpam_const struct pam_message **msg,
struct pam_response **resp, void *data)
-@@ -1137,6 +1139,17 @@
+@@ -1164,6 +1166,17 @@
for (i = 0; i < n; ++i) {
switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
case PAM_PROMPT_ECHO_OFF:
+#ifdef PAM_BUGFIX
+ /*
+ * PAM conversation function for the password userauth
-+ * method (non-interactive) really cannot do any
-+ * prompting. We set the PAM_AUTHTOK item in
++ * method (non-interactive) really cannot do any
++ * prompting. We set the PAM_AUTHTOK item in
+ * sshpam_auth_passwd()to avoid conversation. If some
-+ * modules still try to converse, then the password
-+ * userauth will fail.
-+ */
-+ goto fail;
++ * modules still try to converse, then the password
++ * userauth will fail.
++ */
++ goto fail;
+#else
if (sshpam_password == NULL)
goto fail;
if ((reply[i].resp = strdup(sshpam_password)) == NULL)
-@@ -1143,6 +1156,7 @@
+@@ -1170,6 +1183,7 @@
goto fail;
reply[i].resp_retcode = PAM_SUCCESS;
break;
@@ -46,7 +46,7 @@
case PAM_ERROR_MSG:
case PAM_TEXT_INFO:
len = strlen(PAM_MSG_MEMBER(msg, i, msg));
-@@ -1178,6 +1192,9 @@
+@@ -1205,6 +1219,9 @@
int
sshpam_auth_passwd(Authctxt *authctxt, const char *password)
{
@@ -55,35 +55,35 @@
+#endif
int flags = (options.permit_empty_passwd == 0 ?
PAM_DISALLOW_NULL_AUTHTOK : 0);
-
-@@ -1197,6 +1214,15 @@
+ char *fake = NULL;
+@@ -1225,6 +1242,15 @@
options.permit_root_login != PERMIT_YES))
- sshpam_password = badpw;
+ sshpam_password = fake = fake_password(password);
+#ifdef PAM_BUGFIX
-+ sshpam_err = pam_set_item(sshpam_handle, PAM_AUTHTOK, password);
-+ if (sshpam_err != PAM_SUCCESS) {
-+ debug("PAM: %s: failed to set PAM_AUTHTOK: %s", __func__,
-+ pam_strerror(sshpam_handle, sshpam_err));
-+ return 0;
-+ }
++ sshpam_err = pam_set_item(sshpam_handle, PAM_AUTHTOK, password);
++ if (sshpam_err != PAM_SUCCESS) {
++ debug("PAM: %s: failed to set PAM_AUTHTOK: %s", __func__,
++ pam_strerror(sshpam_handle, sshpam_err));
++ return 0;
++ }
+#endif
+
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
(const void *)&passwd_conv);
if (sshpam_err != PAM_SUCCESS)
-@@ -1205,6 +1231,16 @@
-
- sshpam_err = pam_authenticate(sshpam_handle, flags);
- sshpam_password = NULL;
+@@ -1236,6 +1262,16 @@
+ free(fake);
+ if (sshpam_err == PAM_MAXTRIES)
+ sshpam_set_maxtries_reached(1);
+
+#ifdef PAM_BUGFIX
+ set_item_rtn = pam_set_item(sshpam_handle, PAM_AUTHTOK, NULL);
-+ if (set_item_rtn != PAM_SUCCESS) {
-+ debug("PAM: %s: failed to set PAM_AUTHTOK: %s", __func__,
-+ pam_strerror(sshpam_handle, set_item_rtn));
-+ return 0;
-+ }
++ if (set_item_rtn != PAM_SUCCESS) {
++ debug("PAM: %s: failed to set PAM_AUTHTOK: %s", __func__,
++ pam_strerror(sshpam_handle, set_item_rtn));
++ return 0;
++ }
+#endif
+
if (sshpam_err == PAM_SUCCESS && authctxt->valid) {