search for: auth2_challenge_stop

http://bugzilla.mindrot.org/show_bug.cgi?id=702 Summary: dont call userauth_finish after auth2_challenge_stop Product: Portable OpenSSH Version: 3.7.1p1 Platform: UltraSparc OS/Version: Solaris Status: NEW Severity: major Priority: P2 Component: PAM support AssignedTo: openssh-bugs at mindrot.org ReportedBy: pa...

If an ssh1 client initiates challenge-response authentication but does not submit a response to the challenge, and instead switches to some other authentication method, verify_response() will never run, and the kbdint device context will never be freed. In some cases (such as when the FreeBSD PAM authentication code is being used) this may cause a resource leak leading to a denial of service.

..._users; + char **deny_users; + int num_allow_groups; + char **allow_groups; + int num_deny_groups; + char **deny_groups; +}; + + /* * Keyboard interactive device: * init_ctx returns: non NULL upon success @@ -133,6 +147,7 @@ void auth2_challenge_stop(Authctxt *); int allowed_user(struct passwd *); +int auth_allowed_user(struct passwd *, Authaccess); char *get_challenge(Authctxt *); int verify_response(Authctxt *, const char *); Index: auth2.c =================================================================== RCS file: /cvs/openssh/auth2...

Hi all, After the memory leaks (bug 1967 <https://bugzilla.mindrot.org/show_bug.cgi?id=1967>) I reported in bugzilla are fixed, I also applied melton(http://lcs.ios.ac.cn/~xuzb/melton.html) to detect the potential bugs in sshd (openssh-5.9p1). The url below is the index of bug reports that are checked as real bugs manually.

...-3.7.1p2.privsep/auth.h Wed Sep 3 06:11:30 2003 +++ openssh-3.7.1p2/auth.h Sat Oct 4 22:49:24 2003 @@ -133,7 +133,9 @@ char *auth2_read_banner(void); +#ifndef DISABLE_PRIVSEP void privsep_challenge_enable(void); +#endif /* DISABLE_PRIVSEP */ int auth2_challenge(Authctxt *, char *); void auth2_challenge_stop(Authctxt *); diff -adurN openssh-3.7.1p2.privsep/auth1.c openssh-3.7.1p2/auth1.c --- openssh-3.7.1p2.privsep/auth1.c Wed Sep 3 01:32:46 2003 +++ openssh-3.7.1p2/auth1.c Sat Oct 4 23:08:43 2003 @@ -304,8 +304,12 @@ authctxt->pw = fakepw(); } +#ifndef DISABLE_PRIVSEP setproctitle("...

...#endif +#ifdef GSSAPI +extern Authmethod method_gssapi; +#endif Authmethod *authmethods[] = { &method_none, &method_pubkey, +#ifdef GSSAPI + &method_gssapi, +#endif &method_passwd, &method_kbdint, &method_hostbased, @@ -176,6 +186,12 @@ } /* reset state */ auth2_challenge_stop(authctxt); + +#ifdef GSSAPI + dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); + dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); +#endif + authctxt->postponed = 0; /* try to authenticate user */ Index: compat.c =============================================================...