not respond to challenge, and later successfully authenticated itself
using another method, the kbdint context would never be released,
leaving the PAM child process behind even after the connection ended.
Fix this by automatically releasing the kbdint context if a packet of
type SSH_CMSG_AUTH_TIS is follwed by anything but a packet of type
SSH_CMSG_AUTH_TIS_RESPONSE.
MFC after: 1 week
returns PAM_CONV_ERR; moreover, make sure we always have the right
conversation function installed before calling PAM service functions.
Also unwrap some not-so-long lines.
MFC after: 3 days
pam_conv argument is NULL. OpenPAM doesn't care, but to make things
easier for people porting this code to other systems (or -STABLE), use
a dummy struct pam_conv instead of NULL.
Pointed out by: Damien Miller <djm@mindrot.org>
- The PAM kbdint device sometimes doesn't know authentication succeeded
until you re-query it. The ssh1 kbdint code would never re-query the
device, so authentication would always fail. This patch has been
submitted to the OpenSSH developers.
- The monitor code for PAM sometimes forgot to tell the monitor that
authentication had succeeded. This caused the monitor to veto the
privsep child's decision to allow the connection.
These patches have been tested with OpenSSH clients on -STABLE, NetBSD and
Linux, and with ssh.com's ssh1 on Solaris.
Sponsored by: DARPA, NAI Labs
initialized after the call to pthread_create() instead of before. It just
happened to work with threads enabled because ctxt is shared, but of
course it doesn't work when we use a child process instead of threads.
Reimplement the necessary bits from auth_pam.c and auth2_pam.c so that
they share the PAM context used by the keyboard-interactive thread. If
a child process is used instead, they will (necessarily) use a separate
context.
Constify do_pam_account() and do_pam_session().
Sponsored by: DARPA, NAI Labs
and did copy it as long as just size of struct sockaddr. So,
If connection is via IPv6, sshd didn't log hostname into utmp
correctly.
This problem occured only under FreeBSD because of our hack.
However, this is potential problem of OpenSSH-portable, and
they agreed to fix this.
Though, there is no fixed version of OpenSSH-portable available
yet, since this problem is serious for IPv6 users, I commit the
fix.
Reported by: many people
Reviewed by: current@ and stable@ (no objection)
MFC after: 3 days
1) options.print_lastlog was not honored.
2) "Last login: ..." was printed twice.
3) "copyright" was not printed
4) No newline was before motd.
Reviewed by: maintainer's silence in 2 weeks (with my constant reminders)
- ChallengeResponseAuthentication controls PAM, not S/Key
- We don't honor PAMAuthenticationViaKbdInt, because the code path it
controls doesn't make sense for us, so don't mention it.
Sponsored by: DARPA, NAI Labs