Patchwork [1/1] openssh: avoid checking empty passwords to mess up with PAM modules

login
register
mail settings
Submitter Qi.Chen@windriver.com
Date July 2, 2014, 6:24 a.m.
Message ID <f10b0de652bff0cfeb473eae9d31ebe7ed2e933d.1404282047.git.Qi.Chen@windriver.com>
Download mbox | patch
Permalink /patch/74653/
State Accepted
Commit 301c3f93891c23a42ae7020ef78125adadd021e5
Headers show

Comments

Qi.Chen@windriver.com - July 2, 2014, 6:24 a.m.
Previously, even if PAM is enabled for ssh, the daemon still tries to
authenticate an empty password. This leads to authentication failure
which would mess up with PAM modules.

As a result, if 'UsePAM', 'PermitEmptyPasswords' and 'PasswordAuthentication'
are enabled, no user can login correctly. We would meet the following error
message at the client side.

	Write failed: Broken Pipe

This patch fixes the above problem by checking whether PAM is enabled before
authenticating an empty password. After all, if PAM is enabled, the task of
authenticating passwords should be handled to PAM modules.

[YOCTO #6466]

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
 ...c-avoid-authenticate-empty-passwords-to-m.patch |   30 ++++++++++++++++++++
 meta/recipes-connectivity/openssh/openssh_6.6p1.bb |    3 +-
 2 files changed, 32 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-connectivity/openssh/openssh/auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch

Patch

diff --git a/meta/recipes-connectivity/openssh/openssh/auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch b/meta/recipes-connectivity/openssh/openssh/auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch
new file mode 100644
index 0000000..ba13cd1
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch
@@ -0,0 +1,30 @@ 
+Upstream-Status: Pending
+
+Subject: auth2-none.c: avoid authenticate empty passwords to mess up with PAM
+
+If UsePAM, PermitEmptyPasswords, PasswordAuthentication are enabled. The ssh daemon
+will try to authenticate an empty password, resulting in login failures of any user.
+If PAM is enabled, then we should leave the task of password authentication to PAM.
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+
+---
+ auth2-none.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/auth2-none.c b/auth2-none.c
+index c8c6c74..b48b2fd 100644
+--- a/auth2-none.c
++++ b/auth2-none.c
+@@ -61,7 +61,7 @@ userauth_none(Authctxt *authctxt)
+ {
+ 	none_enabled = 0;
+ 	packet_check_eom();
+-	if (options.permit_empty_passwd && options.password_authentication)
++	if (options.permit_empty_passwd && options.password_authentication && !options.use_pam)
+ 		return (PRIVSEP(auth_password(authctxt, "")));
+ 	return (0);
+ }
+-- 
+1.7.9.5
+
diff --git a/meta/recipes-connectivity/openssh/openssh_6.6p1.bb b/meta/recipes-connectivity/openssh/openssh_6.6p1.bb
index 8f32c2e..047a895 100644
--- a/meta/recipes-connectivity/openssh/openssh_6.6p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_6.6p1.bb
@@ -24,7 +24,8 @@  SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
            file://add-test-support-for-busybox.patch \
            file://run-ptest \
            file://openssh-CVE-2014-2532.patch \
-           file://openssh-CVE-2014-2653.patch"
+           file://openssh-CVE-2014-2653.patch \
+           file://auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch"
 
 PAM_SRC_URI = "file://sshd"