oob-openssh New build/openssh/patches/0017-PAM-setcred-failures.patch

   1 From 74f9ed4532e569d8fe477ebfae5dc69a3f5dd398 Mon Sep 17 00:00:00 2001
   2 From: oracle <solaris@oracle.com>
   3 Date: Mon, 3 Aug 2015 14:38:26 -0700
   4 Subject: [PATCH 17/30] PAM setcred failures
   5 
   6 #
   7 # This patch contains bug fixes to the PAM credential and session operations.
   8 # In the original OpenSSH, the server only gives warnings and still allows
   9 # users to log in when pam_setcred() or pam_open_session() fail, if user auth
  10 # method is not keyboard-interactive or password.  This is not a correct
  11 # behavior. The server should just fatal out, when these functions fail.
  12 #
  13 # We have contributed back these bug fixes to the OpenSSH upstream community.
  14 # For more information, see https://bugzilla.mindrot.org/show_bug.cgi?id=2399
  15 # In the future, if these bug fixes are accepted by the upsteam in a later
  16 # release, we will remove this patch when we upgrade to that release.
  17 #
  18 ---
  19  auth-pam.c | 13 +++++++++++++
  20  1 file changed, 13 insertions(+)
  21 
  22 diff --git a/auth-pam.c b/auth-pam.c
  23 index 6470d5e..2124546 100644
  24 --- a/auth-pam.c
  25 +++ b/auth-pam.c
  26 @@ -1083,12 +1083,19 @@ do_pam_setcred(int init)
  27                 sshpam_cred_established = 1;
  28                 return;
  29         }
  30 +
  31 +#ifdef PAM_BUGFIX
  32 +       /* Server will fatal out when pam_setcred() failed. */
  33 +       fatal("PAM: pam_setcred(): %s", pam_strerror(sshpam_handle,
  34 +           sshpam_err));
  35 +#else /* orig */
  36         if (sshpam_authenticated)
  37                 fatal("PAM: pam_setcred(): %s",
  38                     pam_strerror(sshpam_handle, sshpam_err));
  39         else
  40                 debug("PAM: pam_setcred(): %s",
  41                     pam_strerror(sshpam_handle, sshpam_err));
  42 +#endif /* PAM_BUGFIX */
  43  }
  44  
  45  static int
  46 @@ -1181,10 +1188,16 @@ do_pam_session(void)
  47         if (sshpam_err == PAM_SUCCESS)
  48                 sshpam_session_open = 1;
  49         else {
  50 +#ifdef PAM_BUGFIX
  51 +               /* Server will fatal out when pam_open_session() failed */
  52 +               fatal("PAM: pam_open_session(): %s",
  53 +                   pam_strerror(sshpam_handle, sshpam_err));
  54 +#else /* orig */
  55                 sshpam_session_open = 0;
  56                 disable_forwarding();
  57                 error("PAM: pam_open_session(): %s",
  58                     pam_strerror(sshpam_handle, sshpam_err));
  59 +#endif /* PAM_BUGFIX */
  60         }
  61  
  62  }
  63 -- 
  64 2.3.2 (Apple Git-55)
  65