Mercurial Mercurial > upstream > oracle > userland-gate / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/openssh/patches/015-pam_conversation_fix.patch
changeset 1979 bdbb0de8834e
child 2206 e71c20dca64b 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/015-pam_conversation_fix.patch	Tue Jul 01 13:51:11 2014 -0700
@@ -0,0 +1,64 @@
+#
+# This patch contains an important bug fix for the PAM password userauth
+# conversation function. This bug fix was contributed back to the upstream in 
+# 2009, but it was not accepted by the upstream.  For more information, see
+# https://bugzilla.mindrot.org/show_bug.cgi?id=1681.
+#
+--- orig/auth-pam.c	Fri Jun 20 14:55:27 2014
++++ new/auth-pam.c	Fri Jun 20 14:54:39 2014
+@@ -1111,11 +1111,13 @@
+ 	free(env);
+ }
+ 
++#ifndef PAM_BUGFIX
+ /*
+  * "Blind" conversation function for password authentication.  Assumes that
+  * echo-off prompts are for the password and stores messages for later
+  * display.
+  */
++#endif
+ static int
+ sshpam_passwd_conv(int n, sshpam_const struct pam_message **msg,
+     struct pam_response **resp, void *data)
+@@ -1137,6 +1139,17 @@
+ 	for (i = 0; i < n; ++i) {
+ 		switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
+ 		case PAM_PROMPT_ECHO_OFF:
++#ifdef PAM_BUGFIX
++                       /*
++                        * PAM conversation function for the password userauth
++			* method (non-interactive) really cannot do any 
++			* prompting.  We set the PAM_AUTHTOK item in 
++                        * sshpam_auth_passwd()to avoid conversation. If some
++			* modules still try to converse, then the password
++			* userauth will fail.
++			*/
++			goto fail;
++#else
+ 			if (sshpam_password == NULL)
+ 				goto fail;
+ 			if ((reply[i].resp = strdup(sshpam_password)) == NULL)
+@@ -1143,6 +1156,7 @@
+ 				goto fail;
+ 			reply[i].resp_retcode = PAM_SUCCESS;
+ 			break;
++#endif
+ 		case PAM_ERROR_MSG:
+ 		case PAM_TEXT_INFO:
+ 			len = strlen(PAM_MSG_MEMBER(msg, i, msg));
+@@ -1197,6 +1211,15 @@
+ 	    options.permit_root_login != PERMIT_YES))
+ 		sshpam_password = badpw;
+ 
++#ifdef PAM_BUGFIX
++  	sshpam_err = pam_set_item(sshpam_handle, PAM_AUTHTOK, password);
++	if (sshpam_err != PAM_SUCCESS) {
++		debug("PAM: %s: failed to set PAM_AUTHTOK: %s", __func__,
++		    pam_strerror(sshpam_handle, sshpam_err));
++		return 0;
++	}
++#endif
++
+ 	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
+ 	    (const void *)&passwd_conv);
+ 	if (sshpam_err != PAM_SUCCESS)
upstream/oracle/userland-gate