- Test for pam_fail_delay() function in configure

- Recognise "username:" as a PAM prompt - Add some randomness to the auth-failure delay - Fix wrongly committed options.h/debug.h --HG-- extra : convert_revision : f242f0e66fb0ea5d3b374995d2f548d37dd8f3a3
2025-04-22 07:05:13 +00:00 · 2009-09-08 14:53:53 +00:00 · 2009-09-08 14:53:53 +00:00 · 52551cb771
commit 52551cb771
parent 4dfb834f7c
5 changed files with 21 additions and 8 deletions
--- a/configure.in
+++ b/configure.in
@ -146,6 +146,7 @@ AC_ARG_ENABLE(pam,
 		if test "x$enableval" = "xyes"; then
 			AC_CHECK_LIB(pam, pam_authenticate, , AC_MSG_ERROR([*** PAM missing - install first or check config.log ***]))
 			AC_MSG_NOTICE(Enabling PAM)
 			AC_CHECK_FUNCS(pam_fail_delay)
 		else
 			AC_DEFINE(DISABLE_PAM,, Use PAM)
 			AC_MSG_NOTICE(Disabling PAM)
--- a/debug.h
+++ b/debug.h
@ -39,7 +39,7 @@
 * Caution: Don't use this in an unfriendly environment (ie unfirewalled),
 * since the printing may not sanitise strings etc. This will add a reasonable
 * amount to your executable size. */
-#define DEBUG_TRACE
+/*#define DEBUG_TRACE */
 /* All functions writing to the cleartext payload buffer call
 * CHECKCLEARTOWRITE() before writing. This is only really useful if you're
--- a/options.h
+++ b/options.h
@ -167,9 +167,9 @@ much traffic. */
 * but there's an interface via a PAM module - don't bother using it otherwise.
 * You can't enable both PASSWORD and PAM. */
-/*#define ENABLE_SVR_PASSWORD_AUTH*/
+#define ENABLE_SVR_PASSWORD_AUTH
 /* PAM requires ./configure --enable-pam */
-#define ENABLE_SVR_PAM_AUTH
+/*#define ENABLE_SVR_PAM_AUTH*/
 #define ENABLE_SVR_PUBKEY_AUTH
 /* Whether to take public key options in 
--- a/svr-auth.c
+++ b/svr-auth.c
@ -33,6 +33,7 @@
 #include "packet.h"
 #include "auth.h"
 #include "runopts.h"
 #include "random.h"
 static void authclear();
 static int checkusername(unsigned char *username, unsigned int userlen);
@ -337,7 +338,12 @@ void send_msg_userauth_failure(int partial, int incrfail) {
 	encrypt_packet();
 	if (incrfail) {
-		usleep(300000); /* XXX improve this */
+		unsigned int delay;
 		genrandom((unsigned char*)&delay, sizeof(delay));
 		/* We delay for 300ms +- 50ms, 0.1ms granularity */
 		delay = 250000 + (delay % 1000)*100;
 		usleep(delay);
 		dropbear_log(LOG_INFO, "delay is %d", delay);
 		ses.authstate.failcount++;
 	}
--- a/svr-authpam.c
+++ b/svr-authpam.c
@ -102,7 +102,7 @@ pamConvFunc(int num_msg,
 				/* We don't recognise the prompt as asking for a password,
 				   so can't handle it. Add more above as required for
 				   different pam modules/implementations */
-				dropbear_log(LOG_NOTICE, "PAM unknown prompt %s (no echo)",
+				dropbear_log(LOG_NOTICE, "PAM unknown prompt '%s' (no echo)",
 						compare_message);
 				rc = PAM_CONV_ERR;
 				break;
@ -123,12 +123,15 @@ pamConvFunc(int num_msg,
 		case PAM_PROMPT_ECHO_ON:
-			if (!((strcmp(compare_message, "login:" ) == 0) 
+			if (!(
-				|| (strcmp(compare_message, "please enter username:") == 0))) {
+				(strcmp(compare_message, "login:" ) == 0) 
 				|| (strcmp(compare_message, "please enter username:") == 0)
 				|| (strcmp(compare_message, "username:") == 0)
 				)) {
 				/* We don't recognise the prompt as asking for a username,
 				   so can't handle it. Add more above as required for
 				   different pam modules/implementations */
-				dropbear_log(LOG_NOTICE, "PAM unknown prompt %s (with echo)",
+				dropbear_log(LOG_NOTICE, "PAM unknown prompt '%s' (with echo)",
 						compare_message);
 				rc = PAM_CONV_ERR;
 				break;
@ -212,7 +215,10 @@ void svr_auth_pam() {
 		goto cleanup;
 	}
 #ifdef HAVE_PAM_FAIL_DELAY
 	/* We have our own random delay code already, disable PAM's */
 	(void) pam_fail_delay(pamHandlep, 0 /* musec_delay */);
 #endif
 	/* (void) pam_set_item(pamHandlep, PAM_FAIL_DELAY, (void*) pamDelayFunc); */