Merge pull request #6 from norrs/pam_server_password_fix

Validate server password when PAM is disabled.
This commit is contained in:
Alexander Barton 2014-02-28 22:26:41 +01:00
commit af9161a9bc
2 changed files with 29 additions and 29 deletions

View File

@ -370,9 +370,8 @@ Conf_Test( void )
? (const char*) array_start(&Conf_Motd) : ""); ? (const char*) array_start(&Conf_Motd) : "");
} }
printf(" Network = %s\n", Conf_Network); printf(" Network = %s\n", Conf_Network);
#ifndef PAM if (!Conf_PAM)
printf(" Password = %s\n", Conf_ServerPwd); printf(" Password = %s\n", Conf_ServerPwd);
#endif
printf(" PidFile = %s\n", Conf_PidFile); printf(" PidFile = %s\n", Conf_PidFile);
printf(" Ports = "); printf(" Ports = ");
ports_puts(&Conf_ListenPorts); ports_puts(&Conf_ListenPorts);
@ -2259,7 +2258,7 @@ Validate_Config(bool Configtest, bool Rehash)
} }
#ifdef PAM #ifdef PAM
if (Conf_ServerPwd[0]) if (Conf_PAM && Conf_ServerPwd[0])
Config_Error(LOG_ERR, Config_Error(LOG_ERR,
"This server uses PAM, \"Password\" in [Global] section will be ignored!"); "This server uses PAM, \"Password\" in [Global] section will be ignored!");
#endif #endif

View File

@ -91,13 +91,12 @@ Login_User(CLIENT * Client)
#ifdef PAM #ifdef PAM
if (!Conf_PAM) { if (!Conf_PAM) {
/* Don't do any PAM authentication at all, instead emulate /* Don't do any PAM authentication at all if PAM is not
* the behavior of the daemon compiled without PAM support: * enabled, instead emulate the behavior of the daemon
* because there can't be any "server password", all * compiled without PAM support. */
* passwords supplied are classified as "wrong". */ if (strcmp(Conn_Password(conn), Conf_ServerPwd) == 0)
if(Conn_Password(conn)[0] == '\0')
return Login_User_PostAuth(Client); return Login_User_PostAuth(Client);
Client_Reject(Client, "Non-empty password", false); Client_Reject(Client, "Bad server password", false);
return DISCONNECTED; return DISCONNECTED;
} }
@ -111,25 +110,27 @@ Login_User(CLIENT * Client)
return Login_User_PostAuth(Client); return Login_User_PostAuth(Client);
} }
/* Fork child process for PAM authentication; and make sure that the if (Conf_PAM) {
* process timeout is set higher than the login timeout! */ /* Fork child process for PAM authentication; and make sure that the
pid = Proc_Fork(Conn_GetProcStat(conn), pipefd, * process timeout is set higher than the login timeout! */
cb_Read_Auth_Result, Conf_PongTimeout + 1); pid = Proc_Fork(Conn_GetProcStat(conn), pipefd,
if (pid > 0) { cb_Read_Auth_Result, Conf_PongTimeout + 1);
LogDebug("Authenticator for connection %d created (PID %d).", if (pid > 0) {
conn, pid); LogDebug("Authenticator for connection %d created (PID %d).",
return CONNECTED; conn, pid);
} else { return CONNECTED;
/* Sub process */ } else {
Log_Init_Subprocess("Auth"); /* Sub process */
Conn_CloseAllSockets(NONE); Log_Init_Subprocess("Auth");
result = PAM_Authenticate(Client); Conn_CloseAllSockets(NONE);
if (write(pipefd[1], &result, sizeof(result)) != sizeof(result)) result = PAM_Authenticate(Client);
Log_Subprocess(LOG_ERR, if (write(pipefd[1], &result, sizeof(result)) != sizeof(result))
"Failed to pipe result to parent!"); Log_Subprocess(LOG_ERR,
Log_Exit_Subprocess("Auth"); "Failed to pipe result to parent!");
exit(0); Log_Exit_Subprocess("Auth");
} exit(0);
}
} else return CONNECTED;
#else #else
/* Check global server password ... */ /* Check global server password ... */
if (strcmp(Conn_Password(conn), Conf_ServerPwd) != 0) { if (strcmp(Conn_Password(conn), Conf_ServerPwd) != 0) {