From af0e5c2f6933a678c5d4295e733d405f0cb7066c Mon Sep 17 00:00:00 2001 From: dtucker Date: Thu, 20 Jan 2005 01:43:38 +0000 Subject: [PATCH] - (dtucker) [auth-pam.c] Bug #971: Prevent leaking information about user existence via keyboard-interactive/pam, in conjunction with previous auth2-chall.c change; with Colin Watson and djm. --- ChangeLog | 3 +++ auth-pam.c | 15 +++++++++++++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 569541d6..d6eff946 100644 --- a/ChangeLog +++ b/ChangeLog @@ -30,6 +30,9 @@ behaviour for bsdauth is maintained by checking authctxt->valid in the bsdauth driver. Note that any third-party kbdint drivers will now need to be able to handle responses for invalid logins. ok markus@ + - (dtucker) [auth-pam.c] Bug #971: Prevent leaking information about user + existence via keyboard-interactive/pam, in conjunction with previous + auth2-chall.c change; with Colin Watson and djm. 20050118 - (dtucker) [INSTALL Makefile.in configure.ac survey.sh.in] Implement diff --git a/auth-pam.c b/auth-pam.c index 7ecca946..0b79f3a2 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -186,6 +186,7 @@ static int sshpam_account_status = -1; static char **sshpam_env = NULL; static Authctxt *sshpam_authctxt = NULL; static const char *sshpam_password = NULL; +static char badpw[] = "\b\n\r\177INCORRECT"; /* Some PAM implementations don't implement this */ #ifndef HAVE_PAM_GETENVLIST @@ -701,6 +702,12 @@ sshpam_query(void *ctx, char **name, char **info, **prompts = NULL; } if (type == PAM_SUCCESS) { + if (!sshpam_authctxt->valid || + (sshpam_authctxt->pw->pw_uid == 0 && + options.permit_root_login != PERMIT_YES)) + fatal("Internal error: PAM auth " + "succeeded when it should have " + "failed"); import_environments(&buffer); *num = 0; **echo_on = 0; @@ -746,7 +753,12 @@ sshpam_respond(void *ctx, u_int num, char **resp) return (-1); } buffer_init(&buffer); - buffer_put_cstring(&buffer, *resp); + if (sshpam_authctxt->valid && + (sshpam_authctxt->pw->pw_uid != 0 || + options.permit_root_login == PERMIT_YES)) + buffer_put_cstring(&buffer, *resp); + else + buffer_put_cstring(&buffer, badpw); if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) { buffer_free(&buffer); return (-1); @@ -1093,7 +1105,6 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password) { int flags = (options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0); - static char badpw[] = "\b\n\r\177INCORRECT"; if (!options.use_pam || sshpam_handle == NULL) fatal("PAM: %s called when PAM disabled or failed to " -- 2.45.1