[Bug 559] PAM fixes
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Thu Jul 1 13:40:58 EST 2004
http://bugzilla.mindrot.org/show_bug.cgi?id=559
------- Additional Comments From dtucker at zip.com.au 2004-07-01 13:40 -------
(From update of attachment 292)
OK, except for the last bit, I think this is all done.
>+#ifdef USE_PAM
>+ options.permit_empty_passwd &&
>+#endif
This is done in auth-passwd.c:
if (*password == '\0' && options.permit_empty_passwd == 0)
return 0;
>- PRIVSEP(start_pam(authctxt->pw == NULL ? "NOUSER" : user));
>+ PRIVSEP(start_pam(user));
Fixed a while back.
>- if (pam_retval == PAM_SUCCESS && pw) {
>+ if (pam_retval == PAM_SUCCESS) {
> debug("PAM password authentication accepted for "
>- "%.100s", pw->pw_name);
>+ "%.100s", authctxt->user);
All of the references to the username in auth-pam.c are now authctxt->user.
>+ authenticated = m->userauth(authctxt) && authctxt->valid;
Not currently needed, see comment #5. (We can review this should it ever
become necessary).
> /* Log before sending the reply */
>- auth_log(authctxt, authenticated, method, " ssh2");
>+ /*
>+ * With an exception: don't log 'none' failures if empty passwords
>+ * are not allowed; the openssh client ALWAYS requests none just
>+ * to get the list of auth methods, so this is too noisy.
>+ */
>+ if (!(!strcmp(method, "none") && /* method 'none' */
>+ !options.permit_empty_passwd && /* none !allowed */
>+ !authenticated)) /* failed auth */
>+ auth_log(authctxt, authenticated, method, " ssh2");
I don't see why this in needed. Until you get to options.max_authtries/2
failures (which used to be hard-coded to AUTH_FAIL_MAX/2 = 3) it will only get
logged at "verbose" level anyway.
>+ if (!options.password_authentication || !options.permit_empty_passwd)
>+ return(0);
Handled in auth-passwd.c (see above).
>- retval = (do_pam_authenticate(0) == PAM_SUCCESS);
>+ retval = (do_pam_authenticate(options.permit_empty_passwd == 0
>+ ? PAM_DISALLOW_NULL_AUTHTOK
>+ : 0) == PAM_SUCCESS);
> dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
This one should probably be ported to -current (will attach a patch).
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-bugs
mailing list