d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Do not use passphraseless keys for authentication unless the nullok

Browse Source 
option was specified.

PR:		bin/81231
Submitted by:	"Daniel O'Connor" <doconnor@gsoft.com.au>
MFC after:	3 days
This commit is contained in:
Dag-Erling Smørgrav 2005-09-22 05:35:24 +00:00
parent 0ed03bc788
commit c777c69bdc
2 changed files with 13 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
lib/libpam/modules/pam_ssh/pam_ssh.8
View File

@ -93,6 +93,11 @@ This option is similar to the
option, option,
except that if the previously obtained password fails, except that if the previously obtained password fails,
the user is prompted for another password. the user is prompted for another password.
.It Cm nullok
Normally, keys with no passphrase are ignored for authentication
purposes.
If this option is set, keys with no passphrase will be taken into
consideration, allowing the user to log in with a blank password.
.El .El
.Ss SSH Session Management Module .Ss SSH Session Management Module
The The

10
lib/libpam/modules/pam_ssh/pam_ssh.c
View File

@ -136,7 +136,9 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
const char **kfn, *passphrase, *user; const char **kfn, *passphrase, *user;
struct passwd *pwd; struct passwd *pwd;
struct pam_ssh_key *psk; struct pam_ssh_key *psk;
int nkeys, pam_err, pass; int nkeys, nullok, pam_err, pass;
nullok = (openpam_get_option(pamh, "nullok") != NULL);
/* PEM is not loaded by default */ /* PEM is not loaded by default */
OpenSSL_add_all_algorithms(); OpenSSL_add_all_algorithms();
@ -151,6 +153,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
if (pwd->pw_dir == NULL) if (pwd->pw_dir == NULL)
return (PAM_AUTH_ERR); return (PAM_AUTH_ERR);
nkeys = 0;
pass = (pam_get_item(pamh, PAM_AUTHTOK, pass = (pam_get_item(pamh, PAM_AUTHTOK,
(const void **)&passphrase) == PAM_SUCCESS); (const void **)&passphrase) == PAM_SUCCESS);
load_keys: load_keys:
@ -160,13 +163,15 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
if (pam_err != PAM_SUCCESS) if (pam_err != PAM_SUCCESS)
return (pam_err); return (pam_err);
if (*passphrase == '\0' && !nullok)
goto skip_keys;
/* switch to user credentials */ /* switch to user credentials */
pam_err = openpam_borrow_cred(pamh, pwd); pam_err = openpam_borrow_cred(pamh, pwd);
if (pam_err != PAM_SUCCESS) if (pam_err != PAM_SUCCESS)
return (pam_err); return (pam_err);
/* try to load keys from all keyfiles we know of */ /* try to load keys from all keyfiles we know of */
nkeys = 0;
for (kfn = pam_ssh_keyfiles; *kfn != NULL; ++kfn) { for (kfn = pam_ssh_keyfiles; *kfn != NULL; ++kfn) {
psk = pam_ssh_load_key(pwd->pw_dir, *kfn, passphrase); psk = pam_ssh_load_key(pwd->pw_dir, *kfn, passphrase);
if (psk != NULL) { if (psk != NULL) {
@ -178,6 +183,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
/* switch back to arbitrator credentials */ /* switch back to arbitrator credentials */
openpam_restore_cred(pamh); openpam_restore_cred(pamh);
skip_keys:
/* /*
* If we tried an old token and didn't get anything, and * If we tried an old token and didn't get anything, and
* try_first_pass was specified, try again after prompting the * try_first_pass was specified, try again after prompting the