Merge pull request #6 from norrs/pam_server_password_fix
Validate server password when PAM is disabled.
This commit is contained in:
commit
af9161a9bc
|
@ -370,9 +370,8 @@ Conf_Test( void )
|
|||
? (const char*) array_start(&Conf_Motd) : "");
|
||||
}
|
||||
printf(" Network = %s\n", Conf_Network);
|
||||
#ifndef PAM
|
||||
printf(" Password = %s\n", Conf_ServerPwd);
|
||||
#endif
|
||||
if (!Conf_PAM)
|
||||
printf(" Password = %s\n", Conf_ServerPwd);
|
||||
printf(" PidFile = %s\n", Conf_PidFile);
|
||||
printf(" Ports = ");
|
||||
ports_puts(&Conf_ListenPorts);
|
||||
|
@ -2259,7 +2258,7 @@ Validate_Config(bool Configtest, bool Rehash)
|
|||
}
|
||||
|
||||
#ifdef PAM
|
||||
if (Conf_ServerPwd[0])
|
||||
if (Conf_PAM && Conf_ServerPwd[0])
|
||||
Config_Error(LOG_ERR,
|
||||
"This server uses PAM, \"Password\" in [Global] section will be ignored!");
|
||||
#endif
|
||||
|
|
|
@ -91,13 +91,12 @@ Login_User(CLIENT * Client)
|
|||
|
||||
#ifdef PAM
|
||||
if (!Conf_PAM) {
|
||||
/* Don't do any PAM authentication at all, instead emulate
|
||||
* the behavior of the daemon compiled without PAM support:
|
||||
* because there can't be any "server password", all
|
||||
* passwords supplied are classified as "wrong". */
|
||||
if(Conn_Password(conn)[0] == '\0')
|
||||
/* Don't do any PAM authentication at all if PAM is not
|
||||
* enabled, instead emulate the behavior of the daemon
|
||||
* compiled without PAM support. */
|
||||
if (strcmp(Conn_Password(conn), Conf_ServerPwd) == 0)
|
||||
return Login_User_PostAuth(Client);
|
||||
Client_Reject(Client, "Non-empty password", false);
|
||||
Client_Reject(Client, "Bad server password", false);
|
||||
return DISCONNECTED;
|
||||
}
|
||||
|
||||
|
@ -111,25 +110,27 @@ Login_User(CLIENT * Client)
|
|||
return Login_User_PostAuth(Client);
|
||||
}
|
||||
|
||||
/* Fork child process for PAM authentication; and make sure that the
|
||||
* process timeout is set higher than the login timeout! */
|
||||
pid = Proc_Fork(Conn_GetProcStat(conn), pipefd,
|
||||
cb_Read_Auth_Result, Conf_PongTimeout + 1);
|
||||
if (pid > 0) {
|
||||
LogDebug("Authenticator for connection %d created (PID %d).",
|
||||
conn, pid);
|
||||
return CONNECTED;
|
||||
} else {
|
||||
/* Sub process */
|
||||
Log_Init_Subprocess("Auth");
|
||||
Conn_CloseAllSockets(NONE);
|
||||
result = PAM_Authenticate(Client);
|
||||
if (write(pipefd[1], &result, sizeof(result)) != sizeof(result))
|
||||
Log_Subprocess(LOG_ERR,
|
||||
"Failed to pipe result to parent!");
|
||||
Log_Exit_Subprocess("Auth");
|
||||
exit(0);
|
||||
}
|
||||
if (Conf_PAM) {
|
||||
/* Fork child process for PAM authentication; and make sure that the
|
||||
* process timeout is set higher than the login timeout! */
|
||||
pid = Proc_Fork(Conn_GetProcStat(conn), pipefd,
|
||||
cb_Read_Auth_Result, Conf_PongTimeout + 1);
|
||||
if (pid > 0) {
|
||||
LogDebug("Authenticator for connection %d created (PID %d).",
|
||||
conn, pid);
|
||||
return CONNECTED;
|
||||
} else {
|
||||
/* Sub process */
|
||||
Log_Init_Subprocess("Auth");
|
||||
Conn_CloseAllSockets(NONE);
|
||||
result = PAM_Authenticate(Client);
|
||||
if (write(pipefd[1], &result, sizeof(result)) != sizeof(result))
|
||||
Log_Subprocess(LOG_ERR,
|
||||
"Failed to pipe result to parent!");
|
||||
Log_Exit_Subprocess("Auth");
|
||||
exit(0);
|
||||
}
|
||||
} else return CONNECTED;
|
||||
#else
|
||||
/* Check global server password ... */
|
||||
if (strcmp(Conn_Password(conn), Conf_ServerPwd) != 0) {
|
||||
|
|
Loading…
Reference in New Issue