[openssh-commits] [openssh] 01/01: Prevent excessively long username going to PAM.

git+noreply at mindrot.org git+noreply at mindrot.org
Wed Nov 11 14:11:18 AEDT 2020

This is an automated email from the git hooks/post-receive script.

dtucker pushed a commit to branch master
in repository openssh.

commit fcf429a4c69d30d8725612a55b37181594da8ddf
Author: Darren Tucker <dtucker at dtucker.net>
Date:   Wed Nov 11 12:30:46 2020 +1100

    Prevent excessively long username going to PAM.
    This is a mitigation for a buffer overflow in Solaris' PAM username
    handling (CVE-2020-14871), and is only enabled for Sun-derived PAM
    implementations.  This is not a problem in sshd itself, it only
    prevents sshd from being used as a vector to attack Solaris' PAM.
    It does not prevent the bug in PAM from being exploited via some other
    PAM application.
    Based on github PR#212 from Mike Scott but implemented slightly
    differently.  ok tim@ djm@
 auth-pam.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/auth-pam.c b/auth-pam.c
index 83238215..d429ef13 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -689,6 +689,12 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt)
 	const char *pam_user, *user = authctxt->user;
 	const char **ptr_pam_user = &pam_user;
+#if defined(PAM_SUN_CODEBASE) && defined(PAM_MAX_RESP_SIZE)
+	/* Protect buggy PAM implementations from excessively long usernames */
+	if (strlen(user) >= PAM_MAX_RESP_SIZE)
+		fatal("Username too long from %s port %d",
+		    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
 	if (sshpam_handle == NULL) {
 		if (ssh == NULL) {
 			fatal("%s: called initially with no "

To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list