only query each keyboard-interactive device once (#1245971)
Upstream commit https://anongit.mindrot.org/openssh.git/commit/?id=5b64f85bb811246c59ebab70aed331f26ba37b18
This commit is contained in:
parent
ca62b6133e
commit
c6d2eca7de
47
openssh-6.9p1-authentication-limits-bypass.patch
Normal file
47
openssh-6.9p1-authentication-limits-bypass.patch
Normal file
@ -0,0 +1,47 @@
|
||||
From 5b64f85bb811246c59ebab70aed331f26ba37b18 Mon Sep 17 00:00:00 2001
|
||||
From: "djm@openbsd.org" <djm@openbsd.org>
|
||||
Date: Sat, 18 Jul 2015 07:57:14 +0000
|
||||
Subject: upstream commit
|
||||
|
||||
only query each keyboard-interactive device once per
|
||||
authentication request regardless of how many times it is listed; ok markus@
|
||||
|
||||
Upstream-ID: d73fafba6e86030436ff673656ec1f33d9ffeda1
|
||||
---
|
||||
auth2-chall.c | 11 ++++++++---
|
||||
1 file changed, 8 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/auth2-chall.c b/auth2-chall.c
|
||||
index ddabe1a..4aff09d 100644
|
||||
--- a/auth2-chall.c
|
||||
+++ b/auth2-chall.c
|
||||
@@ -83,6 +83,7 @@ struct KbdintAuthctxt
|
||||
void *ctxt;
|
||||
KbdintDevice *device;
|
||||
u_int nreq;
|
||||
+ u_int devices_done;
|
||||
};
|
||||
|
||||
#ifdef USE_PAM
|
||||
@@ -169,11 +170,15 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)
|
||||
if (len == 0)
|
||||
break;
|
||||
for (i = 0; devices[i]; i++) {
|
||||
- if (!auth2_method_allowed(authctxt,
|
||||
+ if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
|
||||
+ !auth2_method_allowed(authctxt,
|
||||
"keyboard-interactive", devices[i]->name))
|
||||
continue;
|
||||
- if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
|
||||
+ if (strncmp(kbdintctxt->devices, devices[i]->name,
|
||||
+ len) == 0) {
|
||||
kbdintctxt->device = devices[i];
|
||||
+ kbdintctxt->devices_done |= 1 << i;
|
||||
+ }
|
||||
}
|
||||
t = kbdintctxt->devices;
|
||||
kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
|
||||
--
|
||||
cgit v0.11.2
|
||||
|
||||
|
@ -223,6 +223,8 @@ Patch926: openssh-6.7p1-sftp-force-permission.patch
|
||||
Patch928: openssh-6.8p1-memory-problems.patch
|
||||
# Restore compatible default (#89216)
|
||||
Patch929: openssh-6.9p1-permit-root-login.patch
|
||||
# authentication limits (MaxAuthTries) bypass [security] (#1245971)
|
||||
Patch930: openssh-6.9p1-authentication-limits-bypass.patch
|
||||
|
||||
|
||||
|
||||
@ -446,6 +448,7 @@ popd
|
||||
%patch926 -p1 -b .sftp-force-mode
|
||||
%patch928 -p1 -b .memory
|
||||
%patch929 -p1 -b .root-login
|
||||
%patch930 -p1 -b .kbd
|
||||
|
||||
%patch200 -p1 -b .audit
|
||||
%patch700 -p1 -b .fips
|
||||
|
Loading…
Reference in New Issue
Block a user