changeset 573:d3ea8b9672f0

- Test for pam_fail_delay() function in configure - Recognise "username:" as a PAM prompt - Add some randomness to the auth-failure delay - Fix wrongly committed options.h/debug.h
author Matt Johnston <matt@ucc.asn.au>
date Tue, 08 Sep 2009 14:53:53 +0000
parents 8fd0ac8c8cab
children b6665c1eac43
files configure.in debug.h options.h svr-auth.c svr-authpam.c
diffstat 5 files changed, 21 insertions(+), 8 deletions(-) [+]
line wrap: on
line diff
--- a/configure.in	Sat Sep 05 11:40:00 2009 +0000
+++ b/configure.in	Tue Sep 08 14:53:53 2009 +0000
@@ -146,6 +146,7 @@
 		if test "x$enableval" = "xyes"; then
 			AC_CHECK_LIB(pam, pam_authenticate, , AC_MSG_ERROR([*** PAM missing - install first or check config.log ***]))
 			AC_MSG_NOTICE(Enabling PAM)
+			AC_CHECK_FUNCS(pam_fail_delay)
 		else
 			AC_DEFINE(DISABLE_PAM,, Use PAM)
 			AC_MSG_NOTICE(Disabling PAM)
--- a/debug.h	Sat Sep 05 11:40:00 2009 +0000
+++ b/debug.h	Tue Sep 08 14:53:53 2009 +0000
@@ -39,7 +39,7 @@
  * Caution: Don't use this in an unfriendly environment (ie unfirewalled),
  * since the printing may not sanitise strings etc. This will add a reasonable
  * amount to your executable size. */
-#define DEBUG_TRACE
+/*#define DEBUG_TRACE */
 
 /* All functions writing to the cleartext payload buffer call
  * CHECKCLEARTOWRITE() before writing. This is only really useful if you're
--- a/options.h	Sat Sep 05 11:40:00 2009 +0000
+++ b/options.h	Tue Sep 08 14:53:53 2009 +0000
@@ -167,9 +167,9 @@
  * but there's an interface via a PAM module - don't bother using it otherwise.
  * You can't enable both PASSWORD and PAM. */
 
-/*#define ENABLE_SVR_PASSWORD_AUTH*/
+#define ENABLE_SVR_PASSWORD_AUTH
 /* PAM requires ./configure --enable-pam */
-#define ENABLE_SVR_PAM_AUTH
+/*#define ENABLE_SVR_PAM_AUTH*/
 #define ENABLE_SVR_PUBKEY_AUTH
 
 /* Whether to take public key options in 
--- a/svr-auth.c	Sat Sep 05 11:40:00 2009 +0000
+++ b/svr-auth.c	Tue Sep 08 14:53:53 2009 +0000
@@ -33,6 +33,7 @@
 #include "packet.h"
 #include "auth.h"
 #include "runopts.h"
+#include "random.h"
 
 static void authclear();
 static int checkusername(unsigned char *username, unsigned int userlen);
@@ -337,7 +338,12 @@
 	encrypt_packet();
 
 	if (incrfail) {
-		usleep(300000); /* XXX improve this */
+		unsigned int delay;
+		genrandom((unsigned char*)&delay, sizeof(delay));
+		/* We delay for 300ms +- 50ms, 0.1ms granularity */
+		delay = 250000 + (delay % 1000)*100;
+		usleep(delay);
+		dropbear_log(LOG_INFO, "delay is %d", delay);
 		ses.authstate.failcount++;
 	}
 
--- a/svr-authpam.c	Sat Sep 05 11:40:00 2009 +0000
+++ b/svr-authpam.c	Tue Sep 08 14:53:53 2009 +0000
@@ -102,7 +102,7 @@
 				/* We don't recognise the prompt as asking for a password,
 				   so can't handle it. Add more above as required for
 				   different pam modules/implementations */
-				dropbear_log(LOG_NOTICE, "PAM unknown prompt %s (no echo)",
+				dropbear_log(LOG_NOTICE, "PAM unknown prompt '%s' (no echo)",
 						compare_message);
 				rc = PAM_CONV_ERR;
 				break;
@@ -123,12 +123,15 @@
 
 		case PAM_PROMPT_ECHO_ON:
 
-			if (!((strcmp(compare_message, "login:" ) == 0) 
-				|| (strcmp(compare_message, "please enter username:") == 0))) {
+			if (!(
+				(strcmp(compare_message, "login:" ) == 0) 
+				|| (strcmp(compare_message, "please enter username:") == 0)
+				|| (strcmp(compare_message, "username:") == 0)
+				)) {
 				/* We don't recognise the prompt as asking for a username,
 				   so can't handle it. Add more above as required for
 				   different pam modules/implementations */
-				dropbear_log(LOG_NOTICE, "PAM unknown prompt %s (with echo)",
+				dropbear_log(LOG_NOTICE, "PAM unknown prompt '%s' (with echo)",
 						compare_message);
 				rc = PAM_CONV_ERR;
 				break;
@@ -212,7 +215,10 @@
 		goto cleanup;
 	}
 
+#ifdef HAVE_PAM_FAIL_DELAY
+	/* We have our own random delay code already, disable PAM's */
 	(void) pam_fail_delay(pamHandlep, 0 /* musec_delay */);
+#endif
 
 	/* (void) pam_set_item(pamHandlep, PAM_FAIL_DELAY, (void*) pamDelayFunc); */