#
# This patch contains bug fixes to the PAM credential and session operations.
# In the original OpenSSH, the server only gives warnings and still allows
# users to log in when pam_setcred() or pam_open_session() fail, if user auth
# method is not keyboard-interactive or password. This is not a correct
# behavior. The server should just fatal out, when these functions fail.
#
# We have contributed back these bug fixes to the OpenSSH upstream community.
# For more information, see https://bugzilla.mindrot.org/show_bug.cgi?id=2399
# In the future, if these bug fixes are accepted by the upsteam in a later
# release, we will remove this patch when we upgrade to that release.
#
--- orig/auth-pam.c Tue May 12 12:57:25 2015
+++ new/auth-pam.c Thu May 14 15:21:54 2015
@@ -950,6 +950,12 @@
sshpam_cred_established = 1;
return;
}
+
+#ifdef PAM_BUGFIX
+ /* Server will fatal out when pam_setcred() failed. */
+ fatal("PAM: pam_setcred(): %s", pam_strerror(sshpam_handle,
+ sshpam_err));
+#else /* orig */
if (sshpam_authenticated)
fatal("PAM: pam_setcred(): %s",
pam_strerror(sshpam_handle, sshpam_err));
@@ -956,6 +962,7 @@
else
debug("PAM: pam_setcred(): %s",
pam_strerror(sshpam_handle, sshpam_err));
+#endif /* PAM_BUGFIX */
}
static int
@@ -1048,10 +1055,16 @@
if (sshpam_err == PAM_SUCCESS)
sshpam_session_open = 1;
else {
+#ifdef PAM_BUGFIX
+ /* Server will fatal out when pam_open_session() failed */
+ fatal("PAM: pam_open_session(): %s",
+ pam_strerror(sshpam_handle, sshpam_err));
+#else /* orig */
sshpam_session_open = 0;
disable_forwarding();
error("PAM: pam_open_session(): %s",
pam_strerror(sshpam_handle, sshpam_err));
+#endif /* PAM_BUGFIX */
}
}