From 0e716148c03330d9d51073d1b2525f557094ecbe Mon Sep 17 00:00:00 2001 From: dtucker Date: Sun, 30 May 2004 12:04:56 +0000 Subject: [PATCH] - (dtucker) [auth-pam.c] Use an invalid password for root if PermitRootLogin != yes or the login is invalid, to prevent leaking information. Based on Openwall's owl-always-auth patch. ok djm@ --- ChangeLog | 5 ++++- auth-pam.c | 10 ++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 7f76f814..54277805 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,9 @@ 20040530 - - (dtucker) [auth-pam.c auth-pam.h auth-passwd.c]: Bug #874: Re-add PAM + - (dtucker) [auth-pam.c auth-pam.h auth-passwd.c] Bug #874: Re-add PAM support for PasswordAuthentication=yes. ok djm@ + - (dtucker) [auth-pam.c] Use an invalid password for root if + PermitRootLogin != yes or the login is invalid, to prevent leaking + information. Based on Openwall's owl-always-auth patch. ok djm@ 20040527 - (dtucker) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec diff --git a/auth-pam.c b/auth-pam.c index ff4b0140..15a44a42 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -1021,6 +1021,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password) { int flags = (options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0); + static char badpw[] = "\b\n\r\177INCORRECT"; if (!options.use_pam || sshpam_handle == NULL) fatal("PAM: %s called when PAM disabled or failed to " @@ -1029,6 +1030,15 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password) sshpam_password = password; sshpam_authctxt = authctxt; + /* + * If the user logging in is invalid, or is root but is not permitted + * by PermitRootLogin, use an invalid password to prevent leaking + * information via timing (eg if the PAM config has a delay on fail). + */ + if (!authctxt->valid || (authctxt->pw->pw_uid == 0 && + options.permit_root_login != PERMIT_YES)) + sshpam_password = badpw; + sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, (const void *)&passwd_conv); if (sshpam_err != PAM_SUCCESS) -- 2.45.2