On Sat, Nov 27, 2004 at 05:26:50PM +0000, Colin Watson wrote: > On Sat, Nov 20, 2004 at 01:51:55PM +1100, Darren Tucker wrote: > > No, it's not fixed in 3.9p1. > > > > The problem is not exactly the same, though. In this case, it's partly > > because the keyboard-interactive code doesn't call the kbdint driver at > > all in this case. The first attached patch ought to fix that. > > > > With that fixed, a change to the PAM code is required because it will > > complete for a real user with their real password if, eg they are listed > > in DenyUsers. This will result in the PAM code getting out of sync with > > the kbdint code, resulting in the authentication hanging. The second > > patch ought to fix that. > > > > I haven't done much testing of either patch, so please let me know how > > they go. > > Thanks for this. I've backported these to 3.8.1p1, which didn't have PAM > PasswordAuthentication; the patch is attached. It seems to work for me. > After a bit more testing I'll upload this to unstable.
Here's a further patch on top of your openssh-pam-kbdint-leak.patch which makes sure that attempted root logins when PermitRootLogin is not set to yes always have the same delay (Debian bug #248747). It's the same as you did for PAM PasswordAuthentication. Cheers, -- Colin Watson [EMAIL PROTECTED]
