diff options
| author | Dag-Erling Smørgrav <des@FreeBSD.org> | 2003-03-31 13:45:36 +0000 |
|---|---|---|
| committer | Dag-Erling Smørgrav <des@FreeBSD.org> | 2003-03-31 13:45:36 +0000 |
| commit | fc0824d97d17d840792cfda31dc58891c4c41389 (patch) | |
| tree | 5c905c6c4267e057178b82179f25046713e54de9 | |
| parent | effd19ed24e81d73e1ddcc812a563537d8730a25 (diff) | |
| download | src-fc0824d97d17d840792cfda31dc58891c4c41389.tar.gz src-fc0824d97d17d840792cfda31dc58891c4c41389.zip | |
If an ssh1 client initiated challenge-response authentication but did
not respond to challenge, and later successfully authenticated itself
using another method, the kbdint context would never be released,
leaving the PAM child process behind even after the connection ended.
Fix this by automatically releasing the kbdint context if a packet of
type SSH_CMSG_AUTH_TIS is follwed by anything but a packet of type
SSH_CMSG_AUTH_TIS_RESPONSE.
MFC after: 1 week
Notes
Notes:
svn path=/head/; revision=112870
| -rw-r--r-- | crypto/openssh/auth-chall.c | 8 | ||||
| -rw-r--r-- | crypto/openssh/auth.h | 1 | ||||
| -rw-r--r-- | crypto/openssh/auth1.c | 14 |
3 files changed, 22 insertions, 1 deletions
diff --git a/crypto/openssh/auth-chall.c b/crypto/openssh/auth-chall.c index b9c2efd9b6d9..1daa1441887d 100644 --- a/crypto/openssh/auth-chall.c +++ b/crypto/openssh/auth-chall.c @@ -99,3 +99,11 @@ verify_response(Authctxt *authctxt, const char *response) authctxt->kbdintctxt = NULL; return res ? 0 : 1; } +void +abandon_challenge_response(Authctxt *authctxt) +{ + if (authctxt->kbdintctxt != NULL) { + device->free_ctx(authctxt->kbdintctxt); + authctxt->kbdintctxt = NULL; + } +} diff --git a/crypto/openssh/auth.h b/crypto/openssh/auth.h index 79ce4206c137..4e19ee47d82b 100644 --- a/crypto/openssh/auth.h +++ b/crypto/openssh/auth.h @@ -160,6 +160,7 @@ struct passwd * getpwnamallow(const char *user); char *get_challenge(Authctxt *); int verify_response(Authctxt *, const char *); +void abandon_challenge_response(Authctxt *); struct passwd * auth_get_user(void); diff --git a/crypto/openssh/auth1.c b/crypto/openssh/auth1.c index f88dcc9aec5b..a13f61011abb 100644 --- a/crypto/openssh/auth1.c +++ b/crypto/openssh/auth1.c @@ -74,7 +74,7 @@ do_authloop(Authctxt *authctxt) char info[1024]; u_int dlen; u_int ulen; - int type = 0; + int prev, type = 0; struct passwd *pw = authctxt->pw; debug("Attempting authentication for %s%.100s.", @@ -104,8 +104,20 @@ do_authloop(Authctxt *authctxt) info[0] = '\0'; /* Get a packet from the client. */ + prev = type; type = packet_read(); + /* + * If we started challenge-response authentication but the + * next packet is not a response to our challenge, release + * the resources allocated by get_challenge() (which would + * normally have been released by verify_response() had we + * received such a response) + */ + if (prev == SSH_CMSG_AUTH_TIS && + type != SSH_CMSG_AUTH_TIS_RESPONSE) + abandon_challenge_response(authctxt); + /* Process the packet. */ switch (type) { |