mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-04-21 03:32:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

openssh: avoid checking empty passwords to mess up with PAM modules

Browse Source 
Previously, even if PAM is enabled for ssh, the daemon still tries to
authenticate an empty password. This leads to authentication failure
which would mess up with PAM modules.

As a result, if 'UsePAM', 'PermitEmptyPasswords' and 'PasswordAuthentication'
are enabled, no user can login correctly. We would meet the following error
message at the client side.

	Write failed: Broken Pipe

This patch fixes the above problem by checking whether PAM is enabled before
authenticating an empty password. After all, if PAM is enabled, the task of
authenticating passwords should be handled to PAM modules.

[YOCTO #6466]

(From OE-Core rev: e017ae71dad4837b0d22f291b0b0e0949075f822)

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Chen Qi
2014-07-02 14:24:39 +08:00
committed by Richard Purdie
parent 96748199f5
commit 301c3f9389
2 changed files with 32 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
meta/recipes-connectivity/openssh/openssh/auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch Normal file
View File

@@ -0,0 +1,30 @@
Upstream-Status: Pending
Subject: auth2-none.c: avoid authenticate empty passwords to mess up with PAM
If UsePAM, PermitEmptyPasswords, PasswordAuthentication are enabled. The ssh daemon
will try to authenticate an empty password, resulting in login failures of any user.
If PAM is enabled, then we should leave the task of password authentication to PAM.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
auth2-none.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/auth2-none.c b/auth2-none.c
index c8c6c74..b48b2fd 100644
--- a/auth2-none.c
+++ b/auth2-none.c
@@ -61,7 +61,7 @@ userauth_none(Authctxt *authctxt)
{
none_enabled = 0;
packet_check_eom();
- if (options.permit_empty_passwd && options.password_authentication)
+ if (options.permit_empty_passwd && options.password_authentication && !options.use_pam)
return (PRIVSEP(auth_password(authctxt, "")));
return (0);
}
--
1.7.9.5

3
meta/recipes-connectivity/openssh/openssh_6.6p1.bb
View File

@@ -24,7 +24,8 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
file://add-test-support-for-busybox.patch \
file://run-ptest \
file://openssh-CVE-2014-2532.patch \
file://openssh-CVE-2014-2653.patch"
file://openssh-CVE-2014-2653.patch \
file://auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch"
PAM_SRC_URI = "file://sshd"