[Bug 559] PAM fixes

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Jul 1 13:40:58 EST 2004 

http://bugzilla.mindrot.org/show_bug.cgi?id=559





------- Additional Comments From dtucker at zip.com.au  2004-07-01 13:40 -------
(From update of attachment 292)
OK, except for the last bit, I think this is all done.

>+#ifdef USE_PAM
>+	    options.permit_empty_passwd &&
>+#endif

This is done in auth-passwd.c:
	if (*password == '\0' && options.permit_empty_passwd == 0)
		return 0;

>-	PRIVSEP(start_pam(authctxt->pw == NULL ? "NOUSER" : user));
>+	PRIVSEP(start_pam(user));

Fixed a while back.

>-	if (pam_retval == PAM_SUCCESS && pw) {
>+	if (pam_retval == PAM_SUCCESS) {
> 		debug("PAM password authentication accepted for "
>-		    "%.100s", pw->pw_name);
>+		    "%.100s", authctxt->user);

All of the references to the username in auth-pam.c are now authctxt->user.

>+		authenticated = m->userauth(authctxt) && authctxt->valid;

Not currently needed, see comment #5.  (We can review this should it ever
become necessary).

> 	/* Log before sending the reply */
>-	auth_log(authctxt, authenticated, method, " ssh2");
>+	/*
>+	 * With an exception: don't log 'none' failures if empty passwords
>+	 * are not allowed; the openssh client ALWAYS requests none just
>+	 * to get the list of auth methods, so this is too noisy.
>+	 */
>+	if (!(!strcmp(method, "none") &&		/* method 'none' */
>+	      !options.permit_empty_passwd &&		/* none !allowed */
>+	      !authenticated))				/* failed auth   */
>+		auth_log(authctxt, authenticated, method, " ssh2");

I don't see why this in needed.  Until you get to options.max_authtries/2
failures (which used to be hard-coded to AUTH_FAIL_MAX/2 = 3) it will only get
logged at "verbose" level anyway.

>+	if (!options.password_authentication || !options.permit_empty_passwd)
>+		return(0);

Handled in auth-passwd.c (see above).

>-	retval = (do_pam_authenticate(0) == PAM_SUCCESS);
>+	retval = (do_pam_authenticate(options.permit_empty_passwd == 0
>+				      ? PAM_DISALLOW_NULL_AUTHTOK
>+				      : 0) == PAM_SUCCESS);
> 	dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);

This one should probably be ported to -current (will attach a patch).




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the openssh-bugs mailing list