PAM merge from FreeBSD
Damien Miller
djm at mindrot.org
Mon Feb 3 11:23:41 EST 2003
Dag-Erling Smorgrav wrote:
> BTW, the patches Damien posted contain a bug which breaks ssh1 in some
> cases.
Was this the extra empty query in auth-chall.c? If so, I sent an updated
patch which does:
Index: auth-chall.c
===================================================================
RCS file: /var/cvs/openssh/auth-chall.c,v
retrieving revision 1.10
diff -u -r1.10 auth-chall.c
--- auth-chall.c 5 Jun 2001 18:56:17 -0000 1.10
+++ auth-chall.c 3 Feb 2003 00:21:38 -0000
@@ -76,6 +76,31 @@
return 0;
resp[0] = (char *)response;
res = device->respond(authctxt->kbdintctxt, 1, resp);
+
+ /*
+ * XXX - The PAM kbd-int module likes to postpone authentication,
+ * and complete it with an empty second query. Unfortunately protocol
+ * v1 doesn't allows postponement. Kludge around it by resubmitting
+ * a postponed response and retrying if it comes back with no prompts.
+ */
+ if (res == 1) {
+ char *name, *instr, **prompts;
+ u_int *echo_on, nreq, i;
+
+ if (device->query(authctxt->kbdintctxt,
+ &name, &instr, &nreq, &prompts, &echo_on))
+ goto out;
+ /* v1 only allows a single prompt and we have already sent it */
+ if (nreq == 0)
+ res = device->respond(authctxt->kbdintctxt, 0, resp);
+ for (i = 0; i < nreq; i++)
+ xfree(prompts[i]);
+ xfree(prompts);
+ xfree(echo_on);
+ xfree(name);
+ xfree(instr);
+ }
+out:
device->free_ctx(authctxt->kbdintctxt);
authctxt->kbdintctxt = NULL;
return res ? 0 : 1;
More information about the openssh-unix-dev
mailing list