Merge pull request #6 from norrs/pam_server_password_fix

Validate server password when PAM is disabled.
This commit is contained in:
Alexander Barton 2014-02-28 22:26:41 +01:00
commit af9161a9bc
2 changed files with 29 additions and 29 deletions

View File

@ -370,9 +370,8 @@ Conf_Test( void )
? (const char*) array_start(&Conf_Motd) : "");
}
printf(" Network = %s\n", Conf_Network);
#ifndef PAM
printf(" Password = %s\n", Conf_ServerPwd);
#endif
if (!Conf_PAM)
printf(" Password = %s\n", Conf_ServerPwd);
printf(" PidFile = %s\n", Conf_PidFile);
printf(" Ports = ");
ports_puts(&Conf_ListenPorts);
@ -2259,7 +2258,7 @@ Validate_Config(bool Configtest, bool Rehash)
}
#ifdef PAM
if (Conf_ServerPwd[0])
if (Conf_PAM && Conf_ServerPwd[0])
Config_Error(LOG_ERR,
"This server uses PAM, \"Password\" in [Global] section will be ignored!");
#endif

View File

@ -91,13 +91,12 @@ Login_User(CLIENT * Client)
#ifdef PAM
if (!Conf_PAM) {
/* Don't do any PAM authentication at all, instead emulate
* the behavior of the daemon compiled without PAM support:
* because there can't be any "server password", all
* passwords supplied are classified as "wrong". */
if(Conn_Password(conn)[0] == '\0')
/* Don't do any PAM authentication at all if PAM is not
* enabled, instead emulate the behavior of the daemon
* compiled without PAM support. */
if (strcmp(Conn_Password(conn), Conf_ServerPwd) == 0)
return Login_User_PostAuth(Client);
Client_Reject(Client, "Non-empty password", false);
Client_Reject(Client, "Bad server password", false);
return DISCONNECTED;
}
@ -111,25 +110,27 @@ Login_User(CLIENT * Client)
return Login_User_PostAuth(Client);
}
/* Fork child process for PAM authentication; and make sure that the
* process timeout is set higher than the login timeout! */
pid = Proc_Fork(Conn_GetProcStat(conn), pipefd,
cb_Read_Auth_Result, Conf_PongTimeout + 1);
if (pid > 0) {
LogDebug("Authenticator for connection %d created (PID %d).",
conn, pid);
return CONNECTED;
} else {
/* Sub process */
Log_Init_Subprocess("Auth");
Conn_CloseAllSockets(NONE);
result = PAM_Authenticate(Client);
if (write(pipefd[1], &result, sizeof(result)) != sizeof(result))
Log_Subprocess(LOG_ERR,
"Failed to pipe result to parent!");
Log_Exit_Subprocess("Auth");
exit(0);
}
if (Conf_PAM) {
/* Fork child process for PAM authentication; and make sure that the
* process timeout is set higher than the login timeout! */
pid = Proc_Fork(Conn_GetProcStat(conn), pipefd,
cb_Read_Auth_Result, Conf_PongTimeout + 1);
if (pid > 0) {
LogDebug("Authenticator for connection %d created (PID %d).",
conn, pid);
return CONNECTED;
} else {
/* Sub process */
Log_Init_Subprocess("Auth");
Conn_CloseAllSockets(NONE);
result = PAM_Authenticate(Client);
if (write(pipefd[1], &result, sizeof(result)) != sizeof(result))
Log_Subprocess(LOG_ERR,
"Failed to pipe result to parent!");
Log_Exit_Subprocess("Auth");
exit(0);
}
} else return CONNECTED;
#else
/* Check global server password ... */
if (strcmp(Conn_Password(conn), Conf_ServerPwd) != 0) {