Comment 5 for bug 10334

Colin Watson wrote:
> 20040530
> [...]
> - (dtucker) [auth-pam.c] Use an invalid password for root if
> PermitRootLogin != yes or the login is invalid, to prevent leaking
> information. Based on Openwall's owl-always-auth patch. ok djm@
>
> However, that's only PAM password authentication, and
> keyboard-interactive is relevant too. Darren, do you happen to know if
> kbdint has been fixed in the same way in 3.9p1? I don't see anything
> obvious in CVS.

No, it's not fixed in 3.9p1.

The problem is not exactly the same, though. In this case, it's partly
because the keyboard-interactive code doesn't call the kbdint driver at
all in this case. The first attached patch ought to fix that.

With that fixed, a change to the PAM code is required because it will
complete for a real user with their real password if, eg they are listed
in DenyUsers. This will result in the PAM code getting out of sync with
the kbdint code, resulting in the authentication hanging. The second
patch ought to fix that.

I haven't done much testing of either patch, so please let me know how
they go.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.