1 |
I confirm this behaviour. And its not new in 3.6.1_p2. I had this |
2 |
behaviour long before. |
3 |
|
4 |
On Sat, May 03, 2003 at 12:16:13PM +0200, Andrea Barisani wrote: |
5 |
> |
6 |
> Hi folks, I'm having problems with pam and openssh 3.6.1_p2, I've contacted |
7 |
> openssh-dev and I've received some replies, could someone confirm that I am |
8 |
> not the only one to exeprience this problem? |
9 |
> |
10 |
> I'm including my original post to openssh-dev and the reply with a patch. |
11 |
> |
12 |
> What do you think? |
13 |
> |
14 |
> Bye |
15 |
> |
16 |
> ---------------------------------------------------------------------------------------- |
17 |
> |
18 |
> Andrea Barisani wrote: |
19 |
> > |
20 |
> > ----- Forwarded message from Andrea Barisani <lcars@××××××××××××××××××.it> ----- |
21 |
> > |
22 |
> > Date: Fri, 2 May 2003 14:01:33 +0200 |
23 |
> > From: Andrea Barisani <lcars@××××××××××××××××××.it> |
24 |
> > To: openssh@×××××××.com |
25 |
> > Subject: openssh 3.6.1_p2 problem with pam |
26 |
> > |
27 |
> > Hi, I've just updated to openssh 3.6.1_p2 and I notice this behaviour: |
28 |
> > |
29 |
> > # ssh -l lcars mybox |
30 |
> > [2 seconds delay] |
31 |
> > lcars@mybox's password: |
32 |
> > |
33 |
> > In the logs I have: |
34 |
> > |
35 |
> > May 2 13:57:11 sole sshd(pam_unix)[19663]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=homer.infis.univ.trieste.it user=lcars |
36 |
> > May 2 13:57:13 sole sshd(pam_unix)[19665]: session opened for user lcars by (uid=817) |
37 |
> > |
38 |
> > The first line is logged _before_ sshd prompt the password and that's the |
39 |
> > cause of the delay since I'm not using nodelay option in system-auth. |
40 |
> > |
41 |
> > The second one is logged after I enter the correct password. |
42 |
> > |
43 |
> > I don't suppose that this is a correct beahviour, what do you think? |
44 |
> > |
45 |
> > Thanks a lot. |
46 |
> > |
47 |
> > Bye |
48 |
> > |
49 |
> |
50 |
> |
51 |
> Yes, it's not correct behavior. However, this isn't new to 3.6.1. |
52 |
> Not sure why you're only seeing it now. |
53 |
> |
54 |
> This should help you out: |
55 |
> |
56 |
> --- openssh/auth1.c Sun Feb 23 16:59:27 2003 |
57 |
> +++ openssh/auth1.c Thu May 1 22:27:29 2003 |
58 |
> @@ -80,7 +80,7 @@ |
59 |
> authctxt->valid ? "" : "illegal user ", authctxt->user); |
60 |
> |
61 |
> /* If the user has no password, accept authentication immediately. */ |
62 |
> - if (options.password_authentication && |
63 |
> + if (options.password_authentication && options.permit_empty_passwd && |
64 |
> #if defined(KRB4) || defined(KRB5) |
65 |
> (!options.kerberos_authentication || options.kerberos_or_local_passwd) && |
66 |
> #endif |
67 |
> --- openssh/auth2-none.c Tue Apr 29 02:12:08 2003 |
68 |
> +++ openssh/auth2-none.c Thu May 1 22:27:29 2003 |
69 |
> @@ -100,6 +100,25 @@ |
70 |
> if (check_nt_auth(1, authctxt->pw) == 0) |
71 |
> return(0); |
72 |
> #endif |
73 |
> + |
74 |
> + /* |
75 |
> + * REDACTED |
76 |
> + * REDACTED |
77 |
> + * REDACTED |
78 |
> + * REDACTED |
79 |
> + * REDACTED |
80 |
> + * REDACTED |
81 |
> + * REDACTED |
82 |
> + * REDACTED |
83 |
> + * REDACTED |
84 |
> + * REDACTED |
85 |
> + * REDACTED |
86 |
> + * REDACTED |
87 |
> + * REDACTED |
88 |
> + */ |
89 |
> + if (!options.permit_empty_passwd) |
90 |
> + return(0); |
91 |
> + |
92 |
> return PRIVSEP(auth_password(authctxt, "")) && authctxt->valid; |
93 |
> } |
94 |
> |
95 |
> ---------------------------------------------------------------------------------------- |
96 |
> |
97 |
> On Sat, May 03, 2003 at 12:24:44AM +0200, Andrea Barisani wrote: |
98 |
> > I suppose that we'll be seeing this patch in the next version, am I right? |
99 |
> |
100 |
> I don't think so. The openssh team has been generally resistant[1] to most |
101 |
> of my pam suggestions. I have stopped submitting them at this point. |
102 |
> |
103 |
> /fc |
104 |
> [1] Not that I fault them for it. PAM is hard to wedge into openssh |
105 |
> nicely. Esp. now with privsep. |
106 |
> |
107 |
> |
108 |
> |
109 |
> -- |
110 |
> gentoo-dev@g.o mailing list |
111 |
> |
112 |
|
113 |
|
114 |
-- |
115 |
gentoo-dev@g.o mailing list |