openssh: avoid checking empty passwords to mess up with PAM modules

Previously, even if PAM is enabled for ssh, the daemon still tries to authenticate an empty password. This leads to authentication failure which would mess up with PAM modules. As a result, if 'UsePAM', 'PermitEmptyPasswords' and 'PasswordAuthentication' are enabled, no user can login correctly. We would meet the following error message at the client side. Write failed: Broken Pipe This patch fixes the above problem by checking whether PAM is enabled before authenticating an empty password. After all, if PAM is enabled, the task of authenticating passwords should be handled to PAM modules. [YOCTO #6466] (From OE-Core rev: e017ae71dad4837b0d22f291b0b0e0949075f822) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Chen Qi <Qi.Chen@windriver.com> 2014-07-02 14:24:39 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2014-07-03 17:41:18 +0100
commit: 301c3f93891c23a42ae7020ef78125adadd021e5 (patch)
tree: 84bb4f24fd271b596988770571af3a738109751b /meta/recipes-connectivity
parent: 96748199f5f1b03be6729cb63de1200abfda7612 (diff)
download: poky-301c3f93891c23a42ae7020ef78125adadd021e5.tar.gz
2 files changed, 32 insertions, 1 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch b/meta/recipes-connectivity/openssh/openssh/auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch
new file mode 100644
index 0000000000..ba13cd1919
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch
@@ -0,0 +1,30 @@
+Upstream-Status: Pending
+Subject: auth2-none.c: avoid authenticate empty passwords to mess up with PAM
+If UsePAM, PermitEmptyPasswords, PasswordAuthentication are enabled. The ssh daemon
+will try to authenticate an empty password, resulting in login failures of any user.
+If PAM is enabled, then we should leave the task of password authentication to PAM.
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ auth2-none.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/auth2-none.c b/auth2-none.c
+index c8c6c74..b48b2fd 100644
+--- a/auth2-none.c
+++ b/auth2-none.c
+@@ -61,7 +61,7 @@ userauth_none(Authctxt *authctxt)
+ {
+        none_enabled = 0;
+        packet_check_eom();
+-       if (options.permit_empty_passwd && options.password_authentication)
+       if (options.permit_empty_passwd && options.password_authentication && !options.use_pam)
+                return (PRIVSEP(auth_password(authctxt, "")));
+        return (0);
+ }
+-- 
+1.7.9.5
diff --git a/meta/recipes-connectivity/openssh/openssh_6.6p1.bb b/meta/recipes-connectivity/openssh/openssh_6.6p1.bb
index 8f32c2e63e..047a895aae 100644
--- a/meta/recipes-connectivity/openssh/openssh_6.6p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_6.6p1.bb
@@ -24,7 +24,8 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
           file://add-test-support-for-busybox.patch \
           file://run-ptest \
           file://openssh-CVE-2014-2532.patch \
-           file://openssh-CVE-2014-2653.patch"
+           file://openssh-CVE-2014-2653.patch \
+           file://auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch"
 PAM_SRC_URI = "file://sshd"
author	Chen Qi <Qi.Chen@windriver.com>	2014-07-02 14:24:39 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2014-07-03 17:41:18 +0100
commit	301c3f93891c23a42ae7020ef78125adadd021e5 (patch)
tree	84bb4f24fd271b596988770571af3a738109751b /meta/recipes-connectivity
parent	96748199f5f1b03be6729cb63de1200abfda7612 (diff)
download	poky-301c3f93891c23a42ae7020ef78125adadd021e5.tar.gz

diff --git a/meta/recipes-connectivity/openssh/openssh/auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch b/meta/recipes-connectivity/openssh/openssh/auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch new file mode 100644 index 0000000000..ba13cd1919 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch
@@ -0,0 +1,30 @@
		1	Upstream-Status: Pending
		2
		3	Subject: auth2-none.c: avoid authenticate empty passwords to mess up with PAM
		4
		5	If UsePAM, PermitEmptyPasswords, PasswordAuthentication are enabled. The ssh daemon
		6	will try to authenticate an empty password, resulting in login failures of any user.
		7	If PAM is enabled, then we should leave the task of password authentication to PAM.
		8
		9	Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
		10
		11	---
		12	auth2-none.c \| 2 +-
		13	1 file changed, 1 insertion(+), 1 deletion(-)
		14
		15	diff --git a/auth2-none.c b/auth2-none.c
		16	index c8c6c74..b48b2fd 100644
		17	--- a/auth2-none.c
		18	+++ b/auth2-none.c
		19	@@ -61,7 +61,7 @@ userauth_none(Authctxt *authctxt)
		20	{
		21	none_enabled = 0;
		22	packet_check_eom();
		23	- if (options.permit_empty_passwd && options.password_authentication)
		24	+ if (options.permit_empty_passwd && options.password_authentication && !options.use_pam)
		25	return (PRIVSEP(auth_password(authctxt, "")));
		26	return (0);
		27	}
		28	--
		29	1.7.9.5
		30


diff --git a/meta/recipes-connectivity/openssh/openssh_6.6p1.bb b/meta/recipes-connectivity/openssh/openssh_6.6p1.bb index 8f32c2e63e..047a895aae 100644 --- a/meta/recipes-connectivity/openssh/openssh_6.6p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_6.6p1.bb
@@ -24,7 +24,8 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
24	file://add-test-support-for-busybox.patch \	24	file://add-test-support-for-busybox.patch \
25	file://run-ptest \	25	file://run-ptest \
26	file://openssh-CVE-2014-2532.patch \	26	file://openssh-CVE-2014-2532.patch \
27	file://openssh-CVE-2014-2653.patch"	27	file://openssh-CVE-2014-2653.patch \
		28	file://auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch"
28		29
29	PAM_SRC_URI = "file://sshd"	30	PAM_SRC_URI = "file://sshd"
30		31