Puzzled about PAM support in OpenSSH-3.7.1p2
Darren Tucker
dtucker at zip.com.au
Sun Jan 25 20:11:26 EST 2004
Tom Pavel wrote:
[snip]
> This seems to make the fakepw() case above pointless (and
> prevents my captive acct scenario from working).
[snip]
> My question is how is the !valid case supposed to work? Is this just
> an oversight in the OpenSSH code, or am I missing some other piece of
> the puzzle (perhaps somewhere where valid is supposed to be set)?
fakepw() is there so you can do exactly the same sets of operations for
a real user and a non-existant user, to prevent leaking information
about the validity of the account by returning faster or behaving
differently in one case.
For example, in 3.5p1, auth-passwd.c had code roughly like the following:
/* deny if no user. */
if (pw == NULL)
return 0;
if (some_other_test(pw->pw_name))
return 0;
encrypted_password = crypt(.....);
return (strcmp(encrypted_password, pw->pw_passwd) == 0)
Obviously, the earlier it fails the faster it returns.
For 3.6.1p2 (?) a change ("owl-always-auth") was added, the equivalent
code became something like:
if (pw == NULL)
pw = fakepw();
ok = authctxt->valid;
if (some_other_test(pw->pw_name))
ok = 0;
encrypted_password = crypt(.....);
return (strcmp(encrypted_password, pw->pw_passwd) == 0 && ok)
Now all of the same tests will be done in either case.
For a discussion of authctxt->valid and its relationship to PAM, see:
http://bugzilla.mindrot.org/show_bug.cgi?id=559
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list