989d921f5d
I'm very pleased to announce the release of our new website and documentation using the new toolchain with Hugo and AsciiDoctor. To get more information about the new toolchain please read the FreeBSD Documentation Project Primer[1], Hugo docs[2] and AsciiDoctor docs[3]. Acknowledgment: Benedict Reuschling <bcr@> Glen Barber <gjb@> Hiroki Sato <hrs@> Li-Wen Hsu <lwhsu@> Sean Chittenden <seanc@> The FreeBSD Foundation [1] https://docs.FreeBSD.org/en/books/fdp-primer/ [2] https://gohugo.io/documentation/ [3] https://docs.asciidoctor.org/home/ Approved by: doceng, core
64 lines
2.2 KiB
Diff
64 lines
2.2 KiB
Diff
Index: lib/libpam/modules/pam_ssh/pam_ssh.c
|
|
===================================================================
|
|
--- lib/libpam/modules/pam_ssh/pam_ssh.c (revision 227756)
|
|
+++ lib/libpam/modules/pam_ssh/pam_ssh.c (revision 227757)
|
|
@@ -93,7 +93,8 @@
|
|
* struct pam_ssh_key containing the key and its comment.
|
|
*/
|
|
static struct pam_ssh_key *
|
|
-pam_ssh_load_key(const char *dir, const char *kfn, const char *passphrase)
|
|
+pam_ssh_load_key(const char *dir, const char *kfn, const char *passphrase,
|
|
+ int nullok)
|
|
{
|
|
struct pam_ssh_key *psk;
|
|
char fn[PATH_MAX];
|
|
@@ -103,7 +104,21 @@
|
|
if (snprintf(fn, sizeof(fn), "%s/%s", dir, kfn) > (int)sizeof(fn))
|
|
return (NULL);
|
|
comment = NULL;
|
|
- key = key_load_private(fn, passphrase, &comment);
|
|
+ /*
|
|
+ * If the key is unencrypted, OpenSSL ignores the passphrase, so
|
|
+ * it will seem like the user typed in the right one. This allows
|
|
+ * a user to circumvent nullok by providing a dummy passphrase.
|
|
+ * Verify that the key really *is* encrypted by trying to load it
|
|
+ * with an empty passphrase, and if the key is not encrypted,
|
|
+ * accept only an empty passphrase.
|
|
+ */
|
|
+ key = key_load_private(fn, NULL, &comment);
|
|
+ if (key != NULL && !(*passphrase == '\0' && nullok)) {
|
|
+ key_free(key);
|
|
+ return (NULL);
|
|
+ }
|
|
+ if (key == NULL)
|
|
+ key = key_load_private(fn, passphrase, &comment);
|
|
if (key == NULL) {
|
|
openpam_log(PAM_LOG_DEBUG, "failed to load key from %s", fn);
|
|
return (NULL);
|
|
@@ -170,9 +185,6 @@
|
|
if (pam_err != PAM_SUCCESS)
|
|
return (pam_err);
|
|
|
|
- if (*passphrase == '\0' && !nullok)
|
|
- goto skip_keys;
|
|
-
|
|
/* switch to user credentials */
|
|
pam_err = openpam_borrow_cred(pamh, pwd);
|
|
if (pam_err != PAM_SUCCESS)
|
|
@@ -180,7 +192,7 @@
|
|
|
|
/* try to load keys from all keyfiles we know of */
|
|
for (kfn = pam_ssh_keyfiles; *kfn != NULL; ++kfn) {
|
|
- psk = pam_ssh_load_key(pwd->pw_dir, *kfn, passphrase);
|
|
+ psk = pam_ssh_load_key(pwd->pw_dir, *kfn, passphrase, nullok);
|
|
if (psk != NULL) {
|
|
pam_set_data(pamh, *kfn, psk, pam_ssh_free_key);
|
|
++nkeys;
|
|
@@ -190,7 +202,6 @@
|
|
/* switch back to arbitrator credentials */
|
|
openpam_restore_cred(pamh);
|
|
|
|
- skip_keys:
|
|
/*
|
|
* If we tried an old token and didn't get anything, and
|
|
* try_first_pass was specified, try again after prompting the
|