83 lines
3.0 KiB
Diff
83 lines
3.0 KiB
Diff
diff -up Linux-PAM-1.3.1/modules/pam_unix/passverify.c.determinine-user-exists Linux-PAM-1.3.1/modules/pam_unix/passverify.c
|
|
--- Linux-PAM-1.3.1/modules/pam_unix/passverify.c.determinine-user-exists 2020-06-17 15:34:08.089162532 +0200
|
|
+++ Linux-PAM-1.3.1/modules/pam_unix/passverify.c 2020-06-17 15:36:13.233294407 +0200
|
|
@@ -1087,6 +1087,12 @@ helper_verify_password(const char *name,
|
|
if (pwd == NULL || salt == NULL) {
|
|
helper_log_err(LOG_NOTICE, "check pass; user unknown");
|
|
retval = PAM_USER_UNKNOWN;
|
|
+ } else if (p[0] == '\0' && nullok) {
|
|
+ if (salt[0] == '\0') {
|
|
+ retval = PAM_SUCCESS;
|
|
+ } else {
|
|
+ retval = PAM_AUTH_ERR;
|
|
+ }
|
|
} else {
|
|
retval = verify_pwd_hash(p, salt, nullok);
|
|
}
|
|
diff -up Linux-PAM-1.3.1/modules/pam_unix/support.c.determinine-user-exists Linux-PAM-1.3.1/modules/pam_unix/support.c
|
|
--- Linux-PAM-1.3.1/modules/pam_unix/support.c.determinine-user-exists 2020-06-17 15:34:08.090162549 +0200
|
|
+++ Linux-PAM-1.3.1/modules/pam_unix/support.c 2020-06-17 15:34:08.101162736 +0200
|
|
@@ -672,6 +672,8 @@ _unix_blankpasswd (pam_handle_t *pamh, u
|
|
struct passwd *pwd = NULL;
|
|
char *salt = NULL;
|
|
int retval;
|
|
+ int execloop = 1;
|
|
+ int nonexistent = 1;
|
|
|
|
D(("called"));
|
|
|
|
@@ -686,14 +688,31 @@ _unix_blankpasswd (pam_handle_t *pamh, u
|
|
|
|
/* UNIX passwords area */
|
|
|
|
- retval = get_pwd_hash(pamh, name, &pwd, &salt);
|
|
+ /*
|
|
+ * Execute this loop twice: one checking the password hash of an existing
|
|
+ * user and another one for a non-existing user. This way the runtimes
|
|
+ * are equal, making it more difficult to differentiate existing from
|
|
+ * non-existing users.
|
|
+ */
|
|
+ while (execloop) {
|
|
+ retval = get_pwd_hash(pamh, name, &pwd, &salt);
|
|
|
|
- if (retval == PAM_UNIX_RUN_HELPER) {
|
|
- /* salt will not be set here so we can return immediately */
|
|
- if (_unix_run_helper_binary(pamh, NULL, ctrl, name) == PAM_SUCCESS)
|
|
- return 1;
|
|
- else
|
|
- return 0;
|
|
+ if (retval == PAM_UNIX_RUN_HELPER) {
|
|
+ execloop = 0;
|
|
+ if(nonexistent) {
|
|
+ get_pwd_hash(pamh, "pam_unix_non_existent:", &pwd, &salt);
|
|
+ }
|
|
+ /* salt will not be set here so we can return immediately */
|
|
+ if (_unix_run_helper_binary(pamh, NULL, ctrl, name) == PAM_SUCCESS)
|
|
+ return 1;
|
|
+ else
|
|
+ return 0;
|
|
+ } else if (retval == PAM_USER_UNKNOWN) {
|
|
+ name = "root";
|
|
+ nonexistent = 0;
|
|
+ } else {
|
|
+ execloop = 0;
|
|
+ }
|
|
}
|
|
|
|
/* Does this user have a password? */
|
|
diff -up Linux-PAM-1.3.1/modules/pam_usertype/pam_usertype.c.determinine-user-exists Linux-PAM-1.3.1/modules/pam_usertype/pam_usertype.c
|
|
--- Linux-PAM-1.3.1/modules/pam_usertype/pam_usertype.c.determinine-user-exists 2020-06-17 15:34:08.098162685 +0200
|
|
+++ Linux-PAM-1.3.1/modules/pam_usertype/pam_usertype.c 2020-06-17 15:34:08.101162736 +0200
|
|
@@ -236,8 +236,11 @@ pam_usertype_get_uid(struct pam_usertype
|
|
"error retrieving information about user %s", username);
|
|
}
|
|
|
|
+ pam_modutil_getpwnam(pamh, "root");
|
|
+
|
|
return PAM_USER_UNKNOWN;
|
|
}
|
|
+ pam_modutil_getpwnam(pamh, "pam_usertype_non_existent:");
|
|
|
|
*_uid = pwd->pw_uid;
|
|
|