DragonFly BSD
DragonFly commits List (threaded) for 2011-12
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

git: pam_ssh: Don't allow a bogus passphrase for unencrypted keys.


From: Peter Avalos <pavalos@xxxxxxxxxxxxxxxxxxxxxxx>
Date: Sat, 24 Dec 2011 13:18:51 -0800 (PST)

commit 09e61f6cd8073fbb48eab8523b4bcc4f82dac34d
Author: Peter Avalos <pavalos@dragonflybsd.org>
Date:   Sat Dec 24 13:00:13 2011 -0800

    pam_ssh:  Don't allow a bogus passphrase for unencrypted keys.
    
    key_load_private() ignores the passphrase argument if the private key
    is unencrypted.  This defeats the nullok check, because it means a
    non-null passphrase will successfully unlock the key.
    
    To address this, try at first to load the key without a passphrase.
    If this succeeds and the user provided a non-empty passphrase *or*
    nullok is false, reject the key.
    
    While I'm here: Load the ECDSA key if there is one.
    
    Obtained-from:  FreeBSD 227757, 219426, & 226101

Summary of changes:
 lib/pam_module/pam_ssh/pam_ssh.8 |    9 ++++---
 lib/pam_module/pam_ssh/pam_ssh.c |   42 +++++++++++++++++++++++++------------
 2 files changed, 33 insertions(+), 18 deletions(-)

http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/09e61f6cd8073fbb48eab8523b4bcc4f82dac34d


-- 
DragonFly BSD source repository



[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]