http://bugzilla.mindrot.org/show_bug.cgi?id=559 ------- Additional Comments From dtucker at zip.com.au 2004-07-01 13:40 ------- (From update of attachment 292) OK, except for the last bit, I think this is all done.>+#ifdef USE_PAM >+ options.permit_empty_passwd && >+#endifThis is done in auth-passwd.c: if (*password == '\0' && options.permit_empty_passwd == 0) return 0;>- PRIVSEP(start_pam(authctxt->pw == NULL ? "NOUSER" : user)); >+ PRIVSEP(start_pam(user));Fixed a while back.>- if (pam_retval == PAM_SUCCESS && pw) { >+ if (pam_retval == PAM_SUCCESS) { > debug("PAM password authentication accepted for " >- "%.100s", pw->pw_name); >+ "%.100s", authctxt->user);All of the references to the username in auth-pam.c are now authctxt->user.>+ authenticated = m->userauth(authctxt) && authctxt->valid;Not currently needed, see comment #5. (We can review this should it ever become necessary).> /* Log before sending the reply */ >- auth_log(authctxt, authenticated, method, " ssh2"); >+ /* >+ * With an exception: don't log 'none' failures if empty passwords >+ * are not allowed; the openssh client ALWAYS requests none just >+ * to get the list of auth methods, so this is too noisy. >+ */ >+ if (!(!strcmp(method, "none") && /* method 'none' */ >+ !options.permit_empty_passwd && /* none !allowed */ >+ !authenticated)) /* failed auth */ >+ auth_log(authctxt, authenticated, method, " ssh2");I don't see why this in needed. Until you get to options.max_authtries/2 failures (which used to be hard-coded to AUTH_FAIL_MAX/2 = 3) it will only get logged at "verbose" level anyway.>+ if (!options.password_authentication || !options.permit_empty_passwd) >+ return(0);Handled in auth-passwd.c (see above).>- retval = (do_pam_authenticate(0) == PAM_SUCCESS); >+ retval = (do_pam_authenticate(options.permit_empty_passwd == 0 >+ ? PAM_DISALLOW_NULL_AUTHTOK >+ : 0) == PAM_SUCCESS); > dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);This one should probably be ported to -current (will attach a patch). ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=559
dtucker at zip.com.au changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #292 is|0 |1
obsolete| |
------- Additional Comments From dtucker at zip.com.au 2004-07-01 13:43 -------
Created an attachment (id=675)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=675&action=view)
pass PAM_DISALLOW_NULL_AUTHTOK to kbdint too.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=559
dtucker at zip.com.au changed:
What |Removed |Added
----------------------------------------------------------------------------
OtherBugsDependingO| |822
nThis| |
Status|NEW |ASSIGNED
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=559
djm at mindrot.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #675| |ok
Status| |
------- Additional Comments From djm at mindrot.org 2004-07-01 13:52 -------
(From update of attachment 675)
ok
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=559
dtucker at zip.com.au changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution| |FIXED
------- Additional Comments From dtucker at zip.com.au 2004-07-01 14:01 -------
Committed #675 so I think this is bug is done.
Thank all, closing.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.