omnios-build Wdiff build/openssh/patches/0018-PAM-setcred-failures.patch

Print this page

First stab at the full Joyent wad (still needs work!!!)

Split	Close
Expand all
Collapse all

          --- old/build/openssh/patches/0017-PAM-setcred-failures.patch
          +++ new/build/openssh/patches/0018-PAM-setcred-failures.patch
   1      -From 74f9ed4532e569d8fe477ebfae5dc69a3f5dd398 Mon Sep 17 00:00:00 2001
        1 +From d6bad830599b2a95150370954576800b4c6e8947 Mon Sep 17 00:00:00 2001
   2    2  From: oracle <solaris@oracle.com>
   3    3  Date: Mon, 3 Aug 2015 14:38:26 -0700
   4      -Subject: [PATCH 17/30] PAM setcred failures
        4 +Subject: [PATCH 18/36] PAM setcred failures
   5    5  
   6    6  #
   7    7  # This patch contains bug fixes to the PAM credential and session operations.
   8    8  # In the original OpenSSH, the server only gives warnings and still allows
   9    9  # users to log in when pam_setcred() or pam_open_session() fail, if user auth
  10   10  # method is not keyboard-interactive or password.  This is not a correct
  11   11  # behavior. The server should just fatal out, when these functions fail.
  12   12  #
  13   13  # We have contributed back these bug fixes to the OpenSSH upstream community.
  14   14  # For more information, see https://bugzilla.mindrot.org/show_bug.cgi?id=2399

  15   15  # In the future, if these bug fixes are accepted by the upsteam in a later
  16   16  # release, we will remove this patch when we upgrade to that release.
  17   17  #
  18   18  ---
  19   19   auth-pam.c | 13 +++++++++++++
  20   20   1 file changed, 13 insertions(+)
  21   21  
  22   22  diff --git a/auth-pam.c b/auth-pam.c
  23   23  index 6470d5e..2124546 100644
  24   24  --- a/auth-pam.c
  25   25  +++ b/auth-pam.c
  26   26  @@ -1083,12 +1083,19 @@ do_pam_setcred(int init)
  27   27                  sshpam_cred_established = 1;
  28   28                  return;
  29   29          }
  30   30  +
  31   31  +#ifdef PAM_BUGFIX
  32   32  +       /* Server will fatal out when pam_setcred() failed. */
  33   33  +       fatal("PAM: pam_setcred(): %s", pam_strerror(sshpam_handle,
  34   34  +           sshpam_err));
  35   35  +#else /* orig */
  36   36          if (sshpam_authenticated)
  37   37                  fatal("PAM: pam_setcred(): %s",
  38   38                      pam_strerror(sshpam_handle, sshpam_err));
  39   39          else
  40   40                  debug("PAM: pam_setcred(): %s",
  41   41                      pam_strerror(sshpam_handle, sshpam_err));
  42   42  +#endif /* PAM_BUGFIX */
  43   43   }
  44   44   
  45   45   static int
  46   46  @@ -1181,10 +1188,16 @@ do_pam_session(void)
  47   47          if (sshpam_err == PAM_SUCCESS)
  48   48                  sshpam_session_open = 1;
  49   49          else {
  50   50  +#ifdef PAM_BUGFIX
  51   51  +               /* Server will fatal out when pam_open_session() failed */
  52   52  +               fatal("PAM: pam_open_session(): %s",
  53   53  +                   pam_strerror(sshpam_handle, sshpam_err));

↓ open down ↓

39 lines elided

↑ open up ↑

  54   54  +#else /* orig */
  55   55                  sshpam_session_open = 0;
  56   56                  disable_forwarding();
  57   57                  error("PAM: pam_open_session(): %s",
  58   58                      pam_strerror(sshpam_handle, sshpam_err));
  59   59  +#endif /* PAM_BUGFIX */
  60   60          }
  61   61   
  62   62   }
  63   63  -- 
  64      -2.3.2 (Apple Git-55)
       64 +2.5.4 (Apple Git-61)
  65   65

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX