Comment 9 for bug 10334

On Sat, Nov 27, 2004 at 05:26:50PM +0000, Colin Watson wrote:
> On Sat, Nov 20, 2004 at 01:51:55PM +1100, Darren Tucker wrote:
> > No, it's not fixed in 3.9p1.
> >
> > The problem is not exactly the same, though. In this case, it's partly
> > because the keyboard-interactive code doesn't call the kbdint driver at
> > all in this case. The first attached patch ought to fix that.
> >
> > With that fixed, a change to the PAM code is required because it will
> > complete for a real user with their real password if, eg they are listed
> > in DenyUsers. This will result in the PAM code getting out of sync with
> > the kbdint code, resulting in the authentication hanging. The second
> > patch ought to fix that.
> >
> > I haven't done much testing of either patch, so please let me know how
> > they go.
>
> Thanks for this. I've backported these to 3.8.1p1, which didn't have PAM
> PasswordAuthentication; the patch is attached. It seems to work for me.
> After a bit more testing I'll upload this to unstable.

Here's a further patch on top of your openssh-pam-kbdint-leak.patch
which makes sure that attempted root logins when PermitRootLogin is not
set to yes always have the same delay (Debian bug #248747). It's the
same as you did for PAM PasswordAuthentication.

Cheers,

--
Colin Watson [<email address hidden>]