From 01dcf6413807d2e7123470057a3db75ee14b481d Mon Sep 17 00:00:00 2001 From: des Date: Thu, 22 Sep 2005 05:35:24 +0000 Subject: Do not use passphraseless keys for authentication unless the nullok option was specified. PR: bin/81231 Submitted by: "Daniel O'Connor" MFC after: 3 days --- lib/libpam/modules/pam_ssh/pam_ssh.8 | 5 +++++ lib/libpam/modules/pam_ssh/pam_ssh.c | 10 ++++++++-- 2 files changed, 13 insertions(+), 2 deletions(-) (limited to 'lib') diff --git a/lib/libpam/modules/pam_ssh/pam_ssh.8 b/lib/libpam/modules/pam_ssh/pam_ssh.8 index 468e99c..07e3176 100644 --- a/lib/libpam/modules/pam_ssh/pam_ssh.8 +++ b/lib/libpam/modules/pam_ssh/pam_ssh.8 @@ -93,6 +93,11 @@ This option is similar to the option, except that if the previously obtained password fails, the user is prompted for another password. +.It Cm nullok +Normally, keys with no passphrase are ignored for authentication +purposes. +If this option is set, keys with no passphrase will be taken into +consideration, allowing the user to log in with a blank password. .El .Ss SSH Session Management Module The diff --git a/lib/libpam/modules/pam_ssh/pam_ssh.c b/lib/libpam/modules/pam_ssh/pam_ssh.c index 0d0b130..24bd7f4 100644 --- a/lib/libpam/modules/pam_ssh/pam_ssh.c +++ b/lib/libpam/modules/pam_ssh/pam_ssh.c @@ -136,7 +136,9 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, const char **kfn, *passphrase, *user; struct passwd *pwd; struct pam_ssh_key *psk; - int nkeys, pam_err, pass; + int nkeys, nullok, pam_err, pass; + + nullok = (openpam_get_option(pamh, "nullok") != NULL); /* PEM is not loaded by default */ OpenSSL_add_all_algorithms(); @@ -151,6 +153,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, if (pwd->pw_dir == NULL) return (PAM_AUTH_ERR); + nkeys = 0; pass = (pam_get_item(pamh, PAM_AUTHTOK, (const void **)&passphrase) == PAM_SUCCESS); load_keys: @@ -160,13 +163,15 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, if (pam_err != PAM_SUCCESS) return (pam_err); + if (*passphrase == '\0' && !nullok) + goto skip_keys; + /* switch to user credentials */ pam_err = openpam_borrow_cred(pamh, pwd); if (pam_err != PAM_SUCCESS) return (pam_err); /* try to load keys from all keyfiles we know of */ - nkeys = 0; for (kfn = pam_ssh_keyfiles; *kfn != NULL; ++kfn) { psk = pam_ssh_load_key(pwd->pw_dir, *kfn, passphrase); if (psk != NULL) { @@ -178,6 +183,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, /* switch back to arbitrator credentials */ openpam_restore_cred(pamh); + skip_keys: /* * If we tried an old token and didn't get anything, and * try_first_pass was specified, try again after prompting the -- cgit v1.1