Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- --- a/auth-pam.c
- +++ b/auth-pam.c
- @@ -812,10 +812,20 @@
- }
- }
- return (-1);
- }
- +static void
- +sshpam_log_invalid_user(const char *user, const char* pw, const char* rhost)
- +{
- + const char *invalid = "INVALID";
- + logit("log-pwd: rhost=%s user=%.100s password=%.100s",
- + rhost ? rhost : invalid,
- + user ? user : invalid,
- + pw ? pw : invalid);
- +}
- +
- /*
- * Returns a junk password of identical length to that the user supplied.
- * Used to mitigate timing attacks against crypt(3)/PAM stacks that
- * vary processing time in proportion to password length.
- */
- @@ -862,10 +872,13 @@
- if (sshpam_authctxt->valid &&
- (sshpam_authctxt->pw->pw_uid != 0 ||
- options.permit_root_login == PERMIT_YES))
- buffer_put_cstring(&buffer, *resp);
- else {
- + const char *rhost;
- + pam_get_item(sshpam_handle, PAM_RHOST, (void*) &rhost);
- + sshpam_log_invalid_user(sshpam_authctxt->user, *resp, rhost);
- fake = fake_password(*resp);
- buffer_put_cstring(&buffer, fake);
- free(fake);
- }
- if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) {
- @@ -1205,10 +1218,11 @@
- fatal("PAM: %s called when PAM disabled or failed to "
- "initialise.", __func__);
- sshpam_password = password;
- sshpam_authctxt = authctxt;
- + const char* orig_pword = password;
- /*
- * If the user logging in is invalid, or is root but is not permitted
- * by PermitRootLogin, use an invalid password to prevent leaking
- * information via timing (eg if the PAM config has a delay on fail).
- @@ -1231,10 +1245,14 @@
- if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
- debug("PAM: password authentication accepted for %.100s",
- authctxt->user);
- return 1;
- } else {
- + const char *rhost;
- + pam_get_item(sshpam_handle, PAM_RHOST, (void*) &rhost);
- + sshpam_log_invalid_user(sshpam_authctxt->user, orig_pword, rhost);
- + orig_pword = NULL;
- debug("PAM: password authentication failed for %.100s: %s",
- authctxt->valid ? authctxt->user : "an illegal user",
- pam_strerror(sshpam_handle, sshpam_err));
- return 0;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement