packages/openssh
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix setting the number of authentication attempts failed

Browse Source 
(cherry picked from commit aab85b4d0ea0cec09eb9126ca9a8d32d5f1bf913)
This commit is contained in:
renmingshuai 2024-03-14 02:33:00 +00:00 committed by openeuler-sync-bot
parent cc91fedee4
commit 38fc973079
2 changed files with 7 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
backport-openssh-8.0p1-preserve-pam-errors.patch
View File

@ -1,45 +0,0 @@
diff -up openssh-8.0p1/auth-pam.c.preserve-pam-errors openssh-8.0p1/auth-pam.c
--- openssh-8.0p1/auth-pam.c.preserve-pam-errors 2021-03-31 17:03:15.618592347 +0200
+++ openssh-8.0p1/auth-pam.c 2021-03-31 17:06:58.115220014 +0200
Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-preserve-pam-errors.patch
@@ -511,7 +511,11 @@ sshpam_thread(void *ctxtp)
goto auth_fail;
if (!do_pam_account()) {
- sshpam_err = PAM_ACCT_EXPIRED;
+ /* Preserve PAM_PERM_DENIED and PAM_USER_UNKNOWN.
+ * Backward compatibility for other errors. */
+ if (sshpam_err != PAM_PERM_DENIED
+ && sshpam_err != PAM_USER_UNKNOWN)
+ sshpam_err = PAM_ACCT_EXPIRED;
goto auth_fail;
}
if (sshpam_authctxt->force_pwchange) {
@@ -568,8 +572,10 @@ sshpam_thread(void *ctxtp)
pam_strerror(sshpam_handle, sshpam_err))) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
/* XXX - can't do much about an error here */
- if (sshpam_err == PAM_ACCT_EXPIRED)
- ssh_msg_send(ctxt->pam_csock, PAM_ACCT_EXPIRED, buffer);
+ if (sshpam_err == PAM_PERM_DENIED
+ || sshpam_err == PAM_USER_UNKNOWN
+ || sshpam_err == PAM_ACCT_EXPIRED)
+ ssh_msg_send(ctxt->pam_csock, sshpam_err, buffer);
else if (sshpam_maxtries_reached)
ssh_msg_send(ctxt->pam_csock, PAM_MAXTRIES, buffer);
else
@@ -856,10 +862,12 @@ sshpam_query(void *ctx, char **name, cha
plen++;
free(msg);
break;
+ case PAM_USER_UNKNOWN:
+ case PAM_PERM_DENIED:
case PAM_ACCT_EXPIRED:
+ sshpam_account_status = 0;
+ /* FALLTHROUGH */
case PAM_MAXTRIES:
- if (type == PAM_ACCT_EXPIRED)
- sshpam_account_status = 0;
if (type == PAM_MAXTRIES)
sshpam_set_maxtries_reached(1);
/* FALLTHROUGH */

10
openssh.spec
View File

@ -6,7 +6,7 @@
%{?no_gtk2:%global gtk2 0}
%global sshd_uid 74
%global openssh_release 28
%global openssh_release 29
Name: openssh
Version: 8.8p1
@ -79,7 +79,6 @@ Patch48: backport-openssh-8.0p1-openssl-kdf.patch
Patch49: backport-openssh-8.2p1-visibility.patch
Patch50: backport-openssh-8.2p1-x11-without-ipv6.patch
Patch51: backport-openssh-8.0p1-keygen-strip-doseol.patch
Patch52: backport-openssh-8.0p1-preserve-pam-errors.patch
Patch53: backport-openssh-8.7p1-scp-kill-switch.patch
Patch54: bugfix-sftp-when-parse_user_host_path-empty-path-should-be-allowed.patch
Patch55: bugfix-openssh-6.6p1-log-usepam-no.patch
@ -256,7 +255,6 @@ popd
%patch49 -p1 -b .visibility
%patch50 -p1 -b .x11-ipv6
%patch51 -p1 -b .keygen-strip-doseol
%patch52 -p1 -b .preserve-pam-errors
%patch53 -p1 -b .kill-scp
%patch1 -p1 -b .audit
%patch2 -p1 -b .audit-race
@ -510,6 +508,12 @@ getent passwd sshd >/dev/null || \
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
%changelog
* Thu Mar 14 2024 renmingshuai<renmingshuai@huawei.com> - 8.8p1-29
- Type:bugfix
- CVE:
- SUG:NA
- DESC:fix setting the number of authentication attempts failed
* Fri Feb 2 2024 songjuntao<songjuntao@kylinos.cn> - 8.8p1-28
- Type:bugfix
- CVE: