From owner-svn-src-all@FreeBSD.ORG  Sun Dec 11 20:40:24 2011
Return-Path: <owner-svn-src-all@FreeBSD.ORG>
Delivered-To: svn-src-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2CE4F1065670;
	Sun, 11 Dec 2011 20:40:24 +0000 (UTC) (envelope-from des@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 132238FC13;
	Sun, 11 Dec 2011 20:40:24 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id pBBKeNZL068091;
	Sun, 11 Dec 2011 20:40:23 GMT (envelope-from des@svn.freebsd.org)
Received: (from des@localhost)
	by svn.freebsd.org (8.14.4/8.14.4/Submit) id pBBKeNOa068089;
	Sun, 11 Dec 2011 20:40:23 GMT (envelope-from des@svn.freebsd.org)
Message-Id: <201112112040.pBBKeNOa068089@svn.freebsd.org>
From: Dag-Erling Smorgrav <des@FreeBSD.org>
Date: Sun, 11 Dec 2011 20:40:23 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-7@freebsd.org
X-SVN-Group: stable-7
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r228421 - stable/7/lib/libpam/modules/pam_ssh
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
	user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Dec 2011 20:40:24 -0000

Author: des
Date: Sun Dec 11 20:40:23 2011
New Revision: 228421
URL: http://svn.freebsd.org/changeset/base/228421

Log:
  MFH r227757: check for null passphrases, since openssl doesn't
  
  Security:	prevents users with unencrypted ssh keys (prohibited
  		unless the nullok option is specified) from logging in
  		by providing a bogus non-null passphrase.

Modified:
  stable/7/lib/libpam/modules/pam_ssh/pam_ssh.c
Directory Properties:
  stable/7/lib/libpam/   (props changed)

Modified: stable/7/lib/libpam/modules/pam_ssh/pam_ssh.c
==============================================================================
--- stable/7/lib/libpam/modules/pam_ssh/pam_ssh.c	Sun Dec 11 20:38:36 2011	(r228420)
+++ stable/7/lib/libpam/modules/pam_ssh/pam_ssh.c	Sun Dec 11 20:40:23 2011	(r228421)
@@ -88,7 +88,8 @@ static char *const pam_ssh_agent_envp[] 
  * struct pam_ssh_key containing the key and its comment.
  */
 static struct pam_ssh_key *
-pam_ssh_load_key(const char *dir, const char *kfn, const char *passphrase)
+pam_ssh_load_key(const char *dir, const char *kfn, const char *passphrase,
+    int nullok)
 {
 	struct pam_ssh_key *psk;
 	char fn[PATH_MAX];
@@ -98,7 +99,21 @@ pam_ssh_load_key(const char *dir, const 
 	if (snprintf(fn, sizeof(fn), "%s/%s", dir, kfn) > (int)sizeof(fn))
 		return (NULL);
 	comment = NULL;
-	key = key_load_private(fn, passphrase, &comment);
+	/*
+	 * If the key is unencrypted, OpenSSL ignores the passphrase, so
+	 * it will seem like the user typed in the right one.  This allows
+	 * a user to circumvent nullok by providing a dummy passphrase.
+	 * Verify that the key really *is* encrypted by trying to load it
+	 * with an empty passphrase, and if the key is not encrypted,
+	 * accept only an empty passphrase.
+	 */
+	key = key_load_private(fn, NULL, &comment);
+	if (key != NULL && !(*passphrase == '\0' && nullok)) {
+		key_free(key);
+		return (NULL);
+	}
+	if (key == NULL)
+		key = key_load_private(fn, passphrase, &comment);
 	if (key == NULL) {
 		openpam_log(PAM_LOG_DEBUG, "failed to load key from %s\n", fn);
 		return (NULL);
@@ -165,9 +180,6 @@ pam_sm_authenticate(pam_handle_t *pamh, 
 	if (pam_err != PAM_SUCCESS)
 		return (pam_err);
 
-	if (*passphrase == '\0' && !nullok)
-		goto skip_keys;
-
 	/* switch to user credentials */
 	pam_err = openpam_borrow_cred(pamh, pwd);
 	if (pam_err != PAM_SUCCESS)
@@ -175,7 +187,7 @@ pam_sm_authenticate(pam_handle_t *pamh, 
 
 	/* try to load keys from all keyfiles we know of */
 	for (kfn = pam_ssh_keyfiles; *kfn != NULL; ++kfn) {
-		psk = pam_ssh_load_key(pwd->pw_dir, *kfn, passphrase);
+		psk = pam_ssh_load_key(pwd->pw_dir, *kfn, passphrase, nullok);
 		if (psk != NULL) {
 			pam_set_data(pamh, *kfn, psk, pam_ssh_free_key);
 			++nkeys;
@@ -185,7 +197,6 @@ pam_sm_authenticate(pam_handle_t *pamh, 
 	/* switch back to arbitrator credentials */
 	openpam_restore_cred(pamh);
 
- skip_keys:
 	/*
 	 * If we tried an old token and didn't get anything, and
 	 * try_first_pass was specified, try again after prompting the