rearrange patch names

[ckermit.git] / debian / patches / 040_pam-password-prompting.patch

diff --git a/debian/patches/040_pam-password-prompting.patch b/debian/patches/040_pam-password-prompting.patch
new file mode 100644 (file)
index 0000000..28d0791
--- /dev/null
+++ b/debian/patches/040_pam-password-prompting.patch
@@ -0,0 +1,103 @@
+Make IKSD authentication (using PAM) ask for a password when an
+invalid username has been given, to avoid disclosing which account
+names are valid. See #417247.
+--- ckermit-211.orig/ckufio.c
++++ ckermit-211/ckufio.c
+@@ -490,6 +490,9 @@
+ static char guestpass[GUESTPASS] = { NUL, NUL }; /* Anonymous "password" */
+ static int logged_in = 0;               /* Set when user is logged in */
+ static int askpasswd = 0;               /* Have OK user, must ask for passwd */
++#ifdef CK_PAM
++extern int gotemptypasswd;
++#endif /* CK_PAM */
+ #endif /* CK_LOGIN */
+ 
+ #ifdef CKROOT
+@@ -8043,8 +8046,12 @@
+             }
+         }
+         debug(F110,"zvpass","calling pam_authenticate",0);
+-        if (*p)
+-        pam_pw = p;
++        if (*p
++#ifdef CK_LOGIN
++          || gotemptypasswd
++#endif /* CK_LOGIN */
++          )
++          pam_pw = p;
+         if ((pam_status = pam_authenticate(pamh, 0)) != PAM_SUCCESS) {
+             reply = pam_strerror(pamh, pam_status);
+             debug(F110,"zvpass PAM failure",reply,0);
+--- ckermit-211.orig/ckuus7.c
++++ ckermit-211/ckuus7.c
+@@ -98,6 +98,12 @@
+ 
+ extern char * k_info_dir;
+ 
++#ifdef CK_LOGIN
++#ifdef CK_PAM
++int gotemptypasswd = 0;   /* distinguish empty passwd from none given */
++#endif /* CK_PAM */
++#endif /* CK_LOGIN */
++
+ #ifndef NOSPL
+ extern int nmac;
+ extern struct mtab *mactab;
+@@ -14656,9 +14662,9 @@
+ #ifdef CK_RECALL
+     extern int on_recall;               /* around Password prompting */
+ #endif /* CK_RECALL */
+-#ifdef CK_PAM
++#ifdef COMMENT
+     extern int guest;
+-#endif /* CK_PAM */
++#endif /* COMMENT */
+     int rprompt = 0;                    /* Restore prompt */
+ #ifdef CKSYSLOG
+     int savlog;
+@@ -14774,9 +14780,9 @@
+     debug(F111,"ckxlogin zvuser",userid,ok);
+ 
+     if (!*passwd && promptok
+-#ifdef CK_PAM
++#ifdef COMMENT
+         && guest
+-#endif /* CK_PAM */
++#endif /* COMMENT */
+         ) {
+         char prmpt[80];
+ 
+@@ -14852,6 +14858,9 @@
+         if (pflag) prompt(xxstring);    /* Issue prompt if at top level */
+         cmres();                        /* Reset the parser */
+         for (x = -1; x < 0;) {          /* Prompt till they answer */
++#ifdef CK_PAM
++          gotemptypasswd=0;
++#endif /* CK_PAM */
+             x = cmtxt("","",&s,NULL);   /* Get a literal line of text */
+             if (x == -4 || x == -10) {
+                 printf("\r\n%sLogin cancelled\n",
+@@ -14861,6 +14870,10 @@
+ #endif /* CKSYSLOG */
+                 doexit(GOOD_EXIT,0);
+             }
++#ifdef CK_PAM
++          if(!*s)
++              gotemptypasswd=1;
++#endif /* CK_PAM */
+             if (sstate)                 /* In case of a Kermit packet */
+               goto XCKXLOG;
+             cmres();                    /* Reset the parser again */
+@@ -14895,6 +14908,12 @@
+     if (ok) {
+         ok = zvpass((char *)passwd);    /* Check password */
+         debug(F101,"ckxlogin zvpass","",ok);
++#ifdef CK_PAM
++    } else {
++      /* Fake pam password failure for nonexistent users */
++      sleep(1);
++      printf("Authentication failure\n");
++#endif
+     }
+ 
+     if (ok > 0 && isguest) {