Mercurial Mercurial > upstream > oracle > userland-gate / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
15366793 sshd calls pam_authenticate() for none method if PermitEmptyPasswords=yes
authorBrent Paulson <Brent.Paulson@Oracle.COM>
Fri, 27 May 2016 13:40:36 -0700
changeset 6086 7c225e52772b
parent 6085 eb3c11e27709
child 6087 e069d6471a4e
15366793 sshd calls pam_authenticate() for none method if PermitEmptyPasswords=yes 23316839 SSH + annotation fails for userauth types which aren't able to prompt the user
components/openssh/service-network-ssh.p5m file | annotate | diff | comparison | revisions
components/openssh/sources/sshd-gssapi file | annotate | diff | comparison | revisions
components/openssh/sources/sshd-hostbased file | annotate | diff | comparison | revisions
components/openssh/sources/sshd-none file | annotate | diff | comparison | revisions
components/openssh/sources/sshd-password file | annotate | diff | comparison | revisions
components/openssh/sources/sshd-pubkey file | annotate | diff | comparison | revisions 
--- a/components/openssh/service-network-ssh.p5m	Fri May 27 14:04:06 2016 -0600
+++ b/components/openssh/service-network-ssh.p5m	Fri May 27 13:40:36 2016 -0700
@@ -34,6 +34,16 @@
 set name=info.upstream-url value=$(COMPONENT_PROJECT_URL)
 set name=org.opensolaris.arc-caseid value=PSARC/2015/227 value=PSARC/2016/216
 set name=org.opensolaris.consolidation value=$(CONSOLIDATION)
+file sources/sshd-gssapi path=etc/pam.d/sshd-gssapi group=sys mode=0644 \
+    overlay=allow preserve=renamenew
+file sources/sshd-hostbased path=etc/pam.d/sshd-hostbased group=sys mode=0644 \
+    overlay=allow preserve=renamenew
+file sources/sshd-none path=etc/pam.d/sshd-none group=sys mode=0644 \
+    overlay=allow preserve=renamenew
+file sources/sshd-password path=etc/pam.d/sshd-password group=sys mode=0644 \
+    overlay=allow preserve=renamenew
+file sources/sshd-pubkey path=etc/pam.d/sshd-pubkey group=sys mode=0644 \
+    overlay=allow preserve=renamenew
 file path=etc/ssh/moduli group=sys mode=0644 overlay=allow preserve=renamenew
 file path=etc/ssh/sshd_config group=sys mode=0644 \
     original_name=SUNWsshd:etc/ssh/sshd_config overlay=allow preserve=renamenew
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/sources/sshd-gssapi	Fri May 27 13:40:36 2016 -0700
@@ -0,0 +1,9 @@
+#
+# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+#
+# PAM configuration for SSH GSSAPI authentication which turns off
+# prompting for an annotation string since it isn't possible to interact
+# with a user when using GSSAPI authentication.
+#
+auth definitive		pam_user_policy.so.1
+auth required		pam_unix_cred.so.1	noannotation
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/sources/sshd-hostbased	Fri May 27 13:40:36 2016 -0700
@@ -0,0 +1,9 @@
+#
+# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+#
+# PAM configuration for SSH hostbased authentication which turns off
+# prompting for an annotation string since it isn't possible to interact
+# with a user when using hostbased authentication.
+#
+auth definitive		pam_user_policy.so.1
+auth required		pam_unix_cred.so.1	noannotation
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/sources/sshd-none	Fri May 27 13:40:36 2016 -0700
@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+#
+# PAM configuration for the SSH user authentication type of 'none' which is
+# used when no authentication is required at all.  This PAM fragment prevents 
+# authentication using sshd-none to avoid unnecessary interaction with
+# failed logins tracking in certain SSH and PAM configurations.  If SSH
+# logins are desired without any authentication then this is possible by
+# configuring both the sshd_config(5) options 'PasswordAuthentication' and
+# 'PermitEmptyPasswords' to be 'yes' and using either the 'password' or
+# 'keyboard-interactive' user authentication methods.
+#
+auth		definitive	pam_deny.so.1
+account		definitive	pam_deny.so.1
+session		definitive	pam_deny.so.1
+password	definitive	pam_deny.so.1
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/sources/sshd-password	Fri May 27 13:40:36 2016 -0700
@@ -0,0 +1,10 @@
+#
+# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+#
+# PAM configuration for SSH password authentication which turns off
+# prompting for an annotation string since it isn't possible to interact
+# with a user when using password authentication.
+#
+auth definitive		pam_user_policy.so.1
+auth required		pam_unix_auth.so.1	noannotation
+auth required		pam_unix_cred.so.1	noannotation
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/sources/sshd-pubkey	Fri May 27 13:40:36 2016 -0700
@@ -0,0 +1,9 @@
+#
+# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+#
+# PAM configuration for SSH public key authentication which turns off
+# prompting for an annotation string since it isn't possible to interact
+# with a user when using public key authentication.
+#
+auth definitive		pam_user_policy.so.1
+auth required		pam_unix_cred.so.1	noannotation
upstream/oracle/userland-gate