MFC: don't take unprotected keys into account for authentication.

PR: bin/81231 Approved by: re (kensmith)
2005-09-30 14:02:29 +00:00 · 2005-09-30 14:02:29 +00:00 · b0f5f61587
commit b0f5f61587
parent 9fa3c16a94
2 changed files with 31 additions and 21 deletions
--- a/lib/libpam/modules/pam_ssh/pam_ssh.8
+++ b/lib/libpam/modules/pam_ssh/pam_ssh.8
@ -93,6 +93,11 @@ This option is similar to the
 option,
 except that if the previously obtained password fails,
 the user is prompted for another password.
+.It Cm nullok
+Normally, keys with no passphrase are ignored for authentication
+purposes.
+If this option is set, keys with no passphrase will be taken into
+consideration, allowing the user to log in with a blank password.
 .El
 .Ss SSH Session Management Module
 The
--- a/lib/libpam/modules/pam_ssh/pam_ssh.c
+++ b/lib/libpam/modules/pam_ssh/pam_ssh.c
@ -134,9 +134,12 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
    int argc __unused, const char *argv[] __unused)
 {
 	const char **kfn, *passphrase, *user;
+	const void *item;
 	struct passwd *pwd;
 	struct pam_ssh_key *psk;
-	int nkeys, pam_err, pass;
+	int nkeys, nullok, pam_err, pass;
+
+	nullok = (openpam_get_option(pamh, "nullok") != NULL);

 	/* PEM is not loaded by default */
 	OpenSSL_add_all_algorithms();
@ -151,24 +154,25 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
 	if (pwd->pw_dir == NULL)
 		return (PAM_AUTH_ERR);

+	nkeys = 0;
+	pass = (pam_get_item(pamh, PAM_AUTHTOK, &item) == PAM_SUCCESS &&
+	    item != NULL);
+ load_keys:
+	/* get passphrase */
+	pam_err = pam_get_authtok(pamh, PAM_AUTHTOK,
+	    &passphrase, pam_ssh_prompt);
+	if (pam_err != PAM_SUCCESS)
+		return (pam_err);
+
+	if (*passphrase == '\0' && !nullok)
+		goto skip_keys;
+
 	/* switch to user credentials */
 	pam_err = openpam_borrow_cred(pamh, pwd);
 	if (pam_err != PAM_SUCCESS)
 		return (pam_err);

-	pass = (pam_get_item(pamh, PAM_AUTHTOK,
-	    (const void **)&passphrase) == PAM_SUCCESS);
- load_keys:
-	/* get passphrase */
-	pam_err = pam_get_authtok(pamh, PAM_AUTHTOK,
-	    &passphrase, pam_ssh_prompt);
-	if (pam_err != PAM_SUCCESS) {
-		openpam_restore_cred(pamh);
-		return (pam_err);
-	}
-
 	/* try to load keys from all keyfiles we know of */
-	nkeys = 0;
 	for (kfn = pam_ssh_keyfiles; *kfn != NULL; ++kfn) {
 		psk = pam_ssh_load_key(pwd->pw_dir, *kfn, passphrase);
 		if (psk != NULL) {
@ -177,6 +181,10 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
 		}
 	}

+	/* switch back to arbitrator credentials */
+	openpam_restore_cred(pamh);
+
+ skip_keys:
 	/*
 	 * If we tried an old token and didn't get anything, and
 	 * try_first_pass was specified, try again after prompting the
@ -189,9 +197,6 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
 		goto load_keys;
 	}

-	/* switch back to arbitrator credentials before returning */
-	openpam_restore_cred(pamh);
-
 	/* no keys? */
 	if (nkeys == 0)
 		return (PAM_AUTH_ERR);
@ -255,10 +260,8 @@ pam_ssh_start_agent(pam_handle_t *pamh)
 	FILE *f;

 	/* get a pipe which we will use to read the agent's output */
-	if (pipe(agent_pipe) == -1) {
-		openpam_restore_cred(pamh);
+	if (pipe(agent_pipe) == -1)
 		return (PAM_SYSTEM_ERR);
-	}

 	/* start the agent */
 	openpam_log(PAM_LOG_DEBUG, "starting an ssh agent");
@ -304,6 +307,7 @@ pam_ssh_add_keys_to_agent(pam_handle_t *pamh)
 	AuthenticationConnection *ac;
 	struct pam_ssh_key *psk;
 	const char **kfn;
+	void *item;
 	char **envlist, **env;
 	int pam_err;

@ -322,8 +326,9 @@ pam_ssh_add_keys_to_agent(pam_handle_t *pamh)

 	/* look for keys to add to it */
 	for (kfn = pam_ssh_keyfiles; *kfn != NULL; ++kfn) {
-		pam_err = pam_get_data(pamh, *kfn, (void **)&psk);
-		if (pam_err == PAM_SUCCESS && psk != NULL) {
+		pam_err = pam_get_data(pamh, *kfn, &item);
+		if (pam_err == PAM_SUCCESS && item != NULL) {
+			psk = item;
 			if (ssh_add_identity(ac, psk->key, psk->comment))
 				openpam_log(PAM_LOG_DEBUG,
 				    "added %s to ssh agent", psk->comment);