- (dtucker) [auth-pam.c] Bug #971: Prevent leaking information about user

   existence via keyboard-interactive/pam, in conjunction with previous
   auth2-chall.c change; with Colin Watson and djm.

diff --git a/ChangeLog b/ChangeLog
index 569541d603f5e13786b99a8eee82ad3dd8f2dc87..d6eff946496572c7f78e15048a179ea31e16e57e 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -30,6 +30,9 @@
      behaviour for bsdauth is maintained by checking authctxt->valid in the
      bsdauth driver.  Note that any third-party kbdint drivers will now need
      to be able to handle responses for invalid logins.  ok markus@
+ - (dtucker) [auth-pam.c] Bug #971: Prevent leaking information about user
+   existence via keyboard-interactive/pam, in conjunction with previous
+   auth2-chall.c change; with Colin Watson and djm.
 
 20050118
  - (dtucker) [INSTALL Makefile.in configure.ac survey.sh.in] Implement

diff --git a/auth-pam.c b/auth-pam.c
index 7ecca946e4905bac0fb5998b5fa466fe4df5c821..0b79f3a25fcd7fef23e7e9e0657a157db13a277c 100644 (file)
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -186,6 +186,7 @@ static int sshpam_account_status = -1;
 static char **sshpam_env = NULL;
 static Authctxt *sshpam_authctxt = NULL;
 static const char *sshpam_password = NULL;
+static char badpw[] = "\b\n\r\177INCORRECT";
 
 /* Some PAM implementations don't implement this */
 #ifndef HAVE_PAM_GETENVLIST
@@ -701,6 +702,12 @@ sshpam_query(void *ctx, char **name, char **info,
                                **prompts = NULL;
                        }
                        if (type == PAM_SUCCESS) {
+                               if (!sshpam_authctxt->valid ||
+                                   (sshpam_authctxt->pw->pw_uid == 0 &&
+                                   options.permit_root_login != PERMIT_YES))
+                                       fatal("Internal error: PAM auth "
+                                           "succeeded when it should have "
+                                           "failed");
                                import_environments(&buffer);
                                *num = 0;
                                **echo_on = 0;
@@ -746,7 +753,12 @@ sshpam_respond(void *ctx, u_int num, char **resp)
                return (-1);
        }
        buffer_init(&buffer);
-       buffer_put_cstring(&buffer, *resp);
+       if (sshpam_authctxt->valid &&
+           (sshpam_authctxt->pw->pw_uid != 0 ||
+            options.permit_root_login == PERMIT_YES))
+               buffer_put_cstring(&buffer, *resp);
+       else
+               buffer_put_cstring(&buffer, badpw);
        if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) {
                buffer_free(&buffer);
                return (-1);
@@ -1093,7 +1105,6 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
 {
        int flags = (options.permit_empty_passwd == 0 ?
            PAM_DISALLOW_NULL_AUTHTOK : 0);
-       static char badpw[] = "\b\n\r\177INCORRECT";
 
        if (!options.use_pam || sshpam_handle == NULL)
                fatal("PAM: %s called when PAM disabled or failed to "