2 files changed, 32 insertions, 1 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch b/meta/recipes-connectivity/openssh/openssh/auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch
new file mode 100644
index 0000000000..ba13cd1919
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch
@@ -0,0 +1,30 @@
+Upstream-Status: Pending
+Subject: auth2-none.c: avoid authenticate empty passwords to mess up with PAM
+If UsePAM, PermitEmptyPasswords, PasswordAuthentication are enabled. The ssh daemon
+will try to authenticate an empty password, resulting in login failures of any user.
+If PAM is enabled, then we should leave the task of password authentication to PAM.
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ auth2-none.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/auth2-none.c b/auth2-none.c
+index c8c6c74..b48b2fd 100644
+--- a/auth2-none.c
+++ b/auth2-none.c
+@@ -61,7 +61,7 @@ userauth_none(Authctxt *authctxt)
+ {
+        none_enabled = 0;
+        packet_check_eom();
+-       if (options.permit_empty_passwd && options.password_authentication)
+       if (options.permit_empty_passwd && options.password_authentication && !options.use_pam)
+                return (PRIVSEP(auth_password(authctxt, "")));
+        return (0);
+ }
+-- 
+1.7.9.5
diff --git a/meta/recipes-connectivity/openssh/openssh_6.6p1.bb b/meta/recipes-connectivity/openssh/openssh_6.6p1.bb
index 8f32c2e63e..047a895aae 100644
--- a/meta/recipes-connectivity/openssh/openssh_6.6p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_6.6p1.bb
@@ -24,7 +24,8 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
           file://add-test-support-for-busybox.patch \
           file://run-ptest \
           file://openssh-CVE-2014-2532.patch \
-           file://openssh-CVE-2014-2653.patch"
+           file://openssh-CVE-2014-2653.patch \
+           file://auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch"
 PAM_SRC_URI = "file://sshd"

diff --git a/meta/recipes-connectivity/openssh/openssh/auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch b/meta/recipes-connectivity/openssh/openssh/auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch new file mode 100644 index 0000000000..ba13cd1919 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch
@@ -0,0 +1,30 @@
		1	Upstream-Status: Pending
		2
		3	Subject: auth2-none.c: avoid authenticate empty passwords to mess up with PAM
		4
		5	If UsePAM, PermitEmptyPasswords, PasswordAuthentication are enabled. The ssh daemon
		6	will try to authenticate an empty password, resulting in login failures of any user.
		7	If PAM is enabled, then we should leave the task of password authentication to PAM.
		8
		9	Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
		10
		11	---
		12	auth2-none.c \| 2 +-
		13	1 file changed, 1 insertion(+), 1 deletion(-)
		14
		15	diff --git a/auth2-none.c b/auth2-none.c
		16	index c8c6c74..b48b2fd 100644
		17	--- a/auth2-none.c
		18	+++ b/auth2-none.c
		19	@@ -61,7 +61,7 @@ userauth_none(Authctxt *authctxt)
		20	{
		21	none_enabled = 0;
		22	packet_check_eom();
		23	- if (options.permit_empty_passwd && options.password_authentication)
		24	+ if (options.permit_empty_passwd && options.password_authentication && !options.use_pam)
		25	return (PRIVSEP(auth_password(authctxt, "")));
		26	return (0);
		27	}
		28	--
		29	1.7.9.5
		30


diff --git a/meta/recipes-connectivity/openssh/openssh_6.6p1.bb b/meta/recipes-connectivity/openssh/openssh_6.6p1.bb index 8f32c2e63e..047a895aae 100644 --- a/meta/recipes-connectivity/openssh/openssh_6.6p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_6.6p1.bb
@@ -24,7 +24,8 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
24	file://add-test-support-for-busybox.patch \	24	file://add-test-support-for-busybox.patch \
25	file://run-ptest \	25	file://run-ptest \
26	file://openssh-CVE-2014-2532.patch \	26	file://openssh-CVE-2014-2532.patch \
27	file://openssh-CVE-2014-2653.patch"	27	file://openssh-CVE-2014-2653.patch \
		28	file://auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch"
28		29
29	PAM_SRC_URI = "file://sshd"	30	PAM_SRC_URI = "file://sshd"
30		31