diff options
| author | des <des@FreeBSD.org> | 2005-09-22 05:35:24 +0000 |
|---|---|---|
| committer | des <des@FreeBSD.org> | 2005-09-22 05:35:24 +0000 |
| commit | 01dcf6413807d2e7123470057a3db75ee14b481d (patch) | |
| tree | 575c69f93b2b7186828a3031dddf0db4eff8397d /lib | |
| parent | 84eb58cdc39b619b893d38d1a889d64f0fcb0351 (diff) | |
| download | FreeBSD-src-01dcf6413807d2e7123470057a3db75ee14b481d.zip FreeBSD-src-01dcf6413807d2e7123470057a3db75ee14b481d.tar.gz | |
Do not use passphraseless keys for authentication unless the nullok
option was specified.
PR: bin/81231
Submitted by: "Daniel O'Connor" <doconnor@gsoft.com.au>
MFC after: 3 days
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/libpam/modules/pam_ssh/pam_ssh.8 | 5 | ||||
| -rw-r--r-- | lib/libpam/modules/pam_ssh/pam_ssh.c | 10 |
2 files changed, 13 insertions, 2 deletions
diff --git a/lib/libpam/modules/pam_ssh/pam_ssh.8 b/lib/libpam/modules/pam_ssh/pam_ssh.8 index 468e99c..07e3176 100644 --- a/lib/libpam/modules/pam_ssh/pam_ssh.8 +++ b/lib/libpam/modules/pam_ssh/pam_ssh.8 @@ -93,6 +93,11 @@ This option is similar to the option, except that if the previously obtained password fails, the user is prompted for another password. +.It Cm nullok +Normally, keys with no passphrase are ignored for authentication +purposes. +If this option is set, keys with no passphrase will be taken into +consideration, allowing the user to log in with a blank password. .El .Ss SSH Session Management Module The diff --git a/lib/libpam/modules/pam_ssh/pam_ssh.c b/lib/libpam/modules/pam_ssh/pam_ssh.c index 0d0b130..24bd7f4 100644 --- a/lib/libpam/modules/pam_ssh/pam_ssh.c +++ b/lib/libpam/modules/pam_ssh/pam_ssh.c @@ -136,7 +136,9 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, const char **kfn, *passphrase, *user; struct passwd *pwd; struct pam_ssh_key *psk; - int nkeys, pam_err, pass; + int nkeys, nullok, pam_err, pass; + + nullok = (openpam_get_option(pamh, "nullok") != NULL); /* PEM is not loaded by default */ OpenSSL_add_all_algorithms(); @@ -151,6 +153,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, if (pwd->pw_dir == NULL) return (PAM_AUTH_ERR); + nkeys = 0; pass = (pam_get_item(pamh, PAM_AUTHTOK, (const void **)&passphrase) == PAM_SUCCESS); load_keys: @@ -160,13 +163,15 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, if (pam_err != PAM_SUCCESS) return (pam_err); + if (*passphrase == '\0' && !nullok) + goto skip_keys; + /* switch to user credentials */ pam_err = openpam_borrow_cred(pamh, pwd); if (pam_err != PAM_SUCCESS) return (pam_err); /* try to load keys from all keyfiles we know of */ - nkeys = 0; for (kfn = pam_ssh_keyfiles; *kfn != NULL; ++kfn) { psk = pam_ssh_load_key(pwd->pw_dir, *kfn, passphrase); if (psk != NULL) { @@ -178,6 +183,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, /* switch back to arbitrator credentials */ openpam_restore_cred(pamh); + skip_keys: /* * If we tried an old token and didn't get anything, and * try_first_pass was specified, try again after prompting the |
