# HG changeset patch # User Matt Johnston # Date 1252421633 0 # Node ID d3ea8b9672f0414f751851b176a819ecc5c69d07 # Parent 8fd0ac8c8cabbbce69b09af8bccf69a1db8359e2 - Test for pam_fail_delay() function in configure - Recognise "username:" as a PAM prompt - Add some randomness to the auth-failure delay - Fix wrongly committed options.h/debug.h diff -r 8fd0ac8c8cab -r d3ea8b9672f0 configure.in --- a/configure.in Sat Sep 05 11:40:00 2009 +0000 +++ b/configure.in Tue Sep 08 14:53:53 2009 +0000 @@ -146,6 +146,7 @@ if test "x$enableval" = "xyes"; then AC_CHECK_LIB(pam, pam_authenticate, , AC_MSG_ERROR([*** PAM missing - install first or check config.log ***])) AC_MSG_NOTICE(Enabling PAM) + AC_CHECK_FUNCS(pam_fail_delay) else AC_DEFINE(DISABLE_PAM,, Use PAM) AC_MSG_NOTICE(Disabling PAM) diff -r 8fd0ac8c8cab -r d3ea8b9672f0 debug.h --- a/debug.h Sat Sep 05 11:40:00 2009 +0000 +++ b/debug.h Tue Sep 08 14:53:53 2009 +0000 @@ -39,7 +39,7 @@ * Caution: Don't use this in an unfriendly environment (ie unfirewalled), * since the printing may not sanitise strings etc. This will add a reasonable * amount to your executable size. */ -#define DEBUG_TRACE +/*#define DEBUG_TRACE */ /* All functions writing to the cleartext payload buffer call * CHECKCLEARTOWRITE() before writing. This is only really useful if you're diff -r 8fd0ac8c8cab -r d3ea8b9672f0 options.h --- a/options.h Sat Sep 05 11:40:00 2009 +0000 +++ b/options.h Tue Sep 08 14:53:53 2009 +0000 @@ -167,9 +167,9 @@ * but there's an interface via a PAM module - don't bother using it otherwise. * You can't enable both PASSWORD and PAM. */ -/*#define ENABLE_SVR_PASSWORD_AUTH*/ +#define ENABLE_SVR_PASSWORD_AUTH /* PAM requires ./configure --enable-pam */ -#define ENABLE_SVR_PAM_AUTH +/*#define ENABLE_SVR_PAM_AUTH*/ #define ENABLE_SVR_PUBKEY_AUTH /* Whether to take public key options in diff -r 8fd0ac8c8cab -r d3ea8b9672f0 svr-auth.c --- a/svr-auth.c Sat Sep 05 11:40:00 2009 +0000 +++ b/svr-auth.c Tue Sep 08 14:53:53 2009 +0000 @@ -33,6 +33,7 @@ #include "packet.h" #include "auth.h" #include "runopts.h" +#include "random.h" static void authclear(); static int checkusername(unsigned char *username, unsigned int userlen); @@ -337,7 +338,12 @@ encrypt_packet(); if (incrfail) { - usleep(300000); /* XXX improve this */ + unsigned int delay; + genrandom((unsigned char*)&delay, sizeof(delay)); + /* We delay for 300ms +- 50ms, 0.1ms granularity */ + delay = 250000 + (delay % 1000)*100; + usleep(delay); + dropbear_log(LOG_INFO, "delay is %d", delay); ses.authstate.failcount++; } diff -r 8fd0ac8c8cab -r d3ea8b9672f0 svr-authpam.c --- a/svr-authpam.c Sat Sep 05 11:40:00 2009 +0000 +++ b/svr-authpam.c Tue Sep 08 14:53:53 2009 +0000 @@ -102,7 +102,7 @@ /* We don't recognise the prompt as asking for a password, so can't handle it. Add more above as required for different pam modules/implementations */ - dropbear_log(LOG_NOTICE, "PAM unknown prompt %s (no echo)", + dropbear_log(LOG_NOTICE, "PAM unknown prompt '%s' (no echo)", compare_message); rc = PAM_CONV_ERR; break; @@ -123,12 +123,15 @@ case PAM_PROMPT_ECHO_ON: - if (!((strcmp(compare_message, "login:" ) == 0) - || (strcmp(compare_message, "please enter username:") == 0))) { + if (!( + (strcmp(compare_message, "login:" ) == 0) + || (strcmp(compare_message, "please enter username:") == 0) + || (strcmp(compare_message, "username:") == 0) + )) { /* We don't recognise the prompt as asking for a username, so can't handle it. Add more above as required for different pam modules/implementations */ - dropbear_log(LOG_NOTICE, "PAM unknown prompt %s (with echo)", + dropbear_log(LOG_NOTICE, "PAM unknown prompt '%s' (with echo)", compare_message); rc = PAM_CONV_ERR; break; @@ -212,7 +215,10 @@ goto cleanup; } +#ifdef HAVE_PAM_FAIL_DELAY + /* We have our own random delay code already, disable PAM's */ (void) pam_fail_delay(pamHandlep, 0 /* musec_delay */); +#endif /* (void) pam_set_item(pamHandlep, PAM_FAIL_DELAY, (void*) pamDelayFunc); */