components/network/hpn-ssh/patches/0009-PAM-conversation-fix.patch

   1 --- hpn-ssh-hpn-18.4.2/auth-pam.c.orig
   2 +++ hpn-ssh-hpn-18.4.2/auth-pam.c
   3 @@ -1287,11 +1287,13 @@
   4         free(env);
   5  }
   6
   7 +#ifndef PAM_BUGFIX
   8  /*
   9   * "Blind" conversation function for password authentication.  Assumes that
  10   * echo-off prompts are for the password and stores messages for later
  11   * display.
  12   */
  13 +#endif
  14  static int
  15  sshpam_passwd_conv(int n, sshpam_const struct pam_message **msg,
  16      struct pam_response **resp, void *data)
  17 @@ -1313,12 +1315,24 @@
  18         for (i = 0; i < n; ++i) {
  19                 switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
  20                 case PAM_PROMPT_ECHO_OFF:
  21 +#ifdef PAM_BUGFIX
  22 +                       /*
  23 +                        * PAM conversation function for the password userauth
  24 +                        * method (non-interactive) really cannot do any
  25 +                        * prompting.  We set the PAM_AUTHTOK item in
  26 +                        * sshpam_auth_passwd()to avoid conversation. If some
  27 +                        * modules still try to converse, then the password
  28 +                        * userauth will fail.
  29 +                        */
  30 +                       goto fail;
  31 +#else
  32                         if (sshpam_password == NULL)
  33                                 goto fail;
  34                         if ((reply[i].resp = strdup(sshpam_password)) == NULL)
  35                                 goto fail;
  36                         reply[i].resp_retcode = PAM_SUCCESS;
  37                         break;
  38 +#endif
  39                 case PAM_ERROR_MSG:
  40                 case PAM_TEXT_INFO:
  41                         len = strlen(PAM_MSG_MEMBER(msg, i, msg));
  42 @@ -1355,6 +1369,9 @@
  43  int
  44  sshpam_auth_passwd(Authctxt *authctxt, const char *password)
  45  {
  46 +#ifdef PAM_BUGFIX
  47 +       int set_item_rtn;
  48 +#endif
  49         int flags = (options.permit_empty_passwd == 0 ?
  50             PAM_DISALLOW_NULL_AUTHTOK : 0);
  51         char *fake = NULL;
  52 @@ -1375,6 +1392,15 @@
  53             options.permit_root_login != PERMIT_YES))
  54                 sshpam_password = fake = fake_password(password);
  55
  56 +#ifdef PAM_BUGFIX
  57 +       sshpam_err = pam_set_item(sshpam_handle, PAM_AUTHTOK, password);
  58 +       if (sshpam_err != PAM_SUCCESS) {
  59 +               debug("PAM: %s: failed to set PAM_AUTHTOK: %s", __func__,
  60 +                   pam_strerror(sshpam_handle, sshpam_err));
  61 +               return 0;
  62 +       }
  63 +#endif
  64 +
  65         sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
  66             (const void *)&passwd_conv);
  67         if (sshpam_err != PAM_SUCCESS)
  68 @@ -1386,6 +1412,16 @@
  69         free(fake);
  70         if (sshpam_err == PAM_MAXTRIES)
  71                 sshpam_set_maxtries_reached(1);
  72 +
  73 +#ifdef PAM_BUGFIX
  74 +       set_item_rtn = pam_set_item(sshpam_handle, PAM_AUTHTOK, NULL);
  75 +       if (set_item_rtn != PAM_SUCCESS) {
  76 +               debug("PAM: %s: failed to set PAM_AUTHTOK: %s", __func__,
  77 +                   pam_strerror(sshpam_handle, set_item_rtn));
  78 +               return 0;
  79 +       }
  80 +#endif
  81 +
  82         if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
  83                 debug("PAM: password authentication accepted for %.100s",
  84                     authctxt->user);