Commit 52551cb7 authored by Matt Johnston's avatar Matt Johnston
Browse files

- Test for pam_fail_delay() function in configure

- Recognise "username:" as a PAM prompt
- Add some randomness to the auth-failure delay
- Fix wrongly committed options.h/debug.h

--HG--
extra : convert_revision : f242f0e66fb0ea5d3b374995d2f548d37dd8f3a3
parent 4dfb834f
......@@ -146,6 +146,7 @@ AC_ARG_ENABLE(pam,
if test "x$enableval" = "xyes"; then
AC_CHECK_LIB(pam, pam_authenticate, , AC_MSG_ERROR([*** PAM missing - install first or check config.log ***]))
AC_MSG_NOTICE(Enabling PAM)
AC_CHECK_FUNCS(pam_fail_delay)
else
AC_DEFINE(DISABLE_PAM,, Use PAM)
AC_MSG_NOTICE(Disabling PAM)
......
......@@ -39,7 +39,7 @@
* Caution: Don't use this in an unfriendly environment (ie unfirewalled),
* since the printing may not sanitise strings etc. This will add a reasonable
* amount to your executable size. */
#define DEBUG_TRACE
/*#define DEBUG_TRACE */
/* All functions writing to the cleartext payload buffer call
* CHECKCLEARTOWRITE() before writing. This is only really useful if you're
......
......@@ -167,9 +167,9 @@ much traffic. */
* but there's an interface via a PAM module - don't bother using it otherwise.
* You can't enable both PASSWORD and PAM. */
/*#define ENABLE_SVR_PASSWORD_AUTH*/
#define ENABLE_SVR_PASSWORD_AUTH
/* PAM requires ./configure --enable-pam */
#define ENABLE_SVR_PAM_AUTH
/*#define ENABLE_SVR_PAM_AUTH*/
#define ENABLE_SVR_PUBKEY_AUTH
/* Whether to take public key options in
......
......@@ -33,6 +33,7 @@
#include "packet.h"
#include "auth.h"
#include "runopts.h"
#include "random.h"
static void authclear();
static int checkusername(unsigned char *username, unsigned int userlen);
......@@ -337,7 +338,12 @@ void send_msg_userauth_failure(int partial, int incrfail) {
encrypt_packet();
if (incrfail) {
usleep(300000); /* XXX improve this */
unsigned int delay;
genrandom((unsigned char*)&delay, sizeof(delay));
/* We delay for 300ms +- 50ms, 0.1ms granularity */
delay = 250000 + (delay % 1000)*100;
usleep(delay);
dropbear_log(LOG_INFO, "delay is %d", delay);
ses.authstate.failcount++;
}
......
......@@ -102,7 +102,7 @@ pamConvFunc(int num_msg,
/* We don't recognise the prompt as asking for a password,
so can't handle it. Add more above as required for
different pam modules/implementations */
dropbear_log(LOG_NOTICE, "PAM unknown prompt %s (no echo)",
dropbear_log(LOG_NOTICE, "PAM unknown prompt '%s' (no echo)",
compare_message);
rc = PAM_CONV_ERR;
break;
......@@ -123,12 +123,15 @@ pamConvFunc(int num_msg,
case PAM_PROMPT_ECHO_ON:
if (!((strcmp(compare_message, "login:" ) == 0)
|| (strcmp(compare_message, "please enter username:") == 0))) {
if (!(
(strcmp(compare_message, "login:" ) == 0)
|| (strcmp(compare_message, "please enter username:") == 0)
|| (strcmp(compare_message, "username:") == 0)
)) {
/* We don't recognise the prompt as asking for a username,
so can't handle it. Add more above as required for
different pam modules/implementations */
dropbear_log(LOG_NOTICE, "PAM unknown prompt %s (with echo)",
dropbear_log(LOG_NOTICE, "PAM unknown prompt '%s' (with echo)",
compare_message);
rc = PAM_CONV_ERR;
break;
......@@ -212,7 +215,10 @@ void svr_auth_pam() {
goto cleanup;
}
#ifdef HAVE_PAM_FAIL_DELAY
/* We have our own random delay code already, disable PAM's */
(void) pam_fail_delay(pamHandlep, 0 /* musec_delay */);
#endif
/* (void) pam_set_item(pamHandlep, PAM_FAIL_DELAY, (void*) pamDelayFunc); */
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment