debian/0000775000000000000000000000000012720001117007157 5ustar debian/rules0000775000000000000000000000036112712334617010256 0ustar #!/usr/bin/make -f # -*- makefile -*- DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH). %: dh $@ --with autoreconf override_dh_auto_configure: dh_auto_configure -- --with-pam-dir=/lib/$(DEB_HOST_MULTIARCH)/security debian/copyright0000664000000000000000000000211412712334617011127 0ustar Format: http://dep.debian.net/deps/dep5 Upstream-Name: libpam-sshauth Source: http://bazaar.launchpad.net/~sbalneav/ltsp/libpam-sshauth/ Files: * Copyright: 2011-2013 Scott Balneaves License: GPL-2.0+ Files: debian/* Copyright: 2011-2013 Vagrant Cascadian License: GPL-2.0+ License: GPL-2.0+ This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 2 of the License, or (at your option) any later version. . This package is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. . You should have received a copy of the GNU General Public License along with this program. If not, see . . On Debian systems, the complete text of the GNU General Public License version 2 can be found in "/usr/share/common-licenses/GPL-2". debian/changelog0000664000000000000000000000311612720000756011042 0ustar libpam-sshauth (0.3.1-1deb8u1build0.14.04.1) trusty-security; urgency=medium * fake sync from Debian -- Steve Beattie Fri, 20 May 2016 23:36:30 -0700 libpam-sshauth (0.3.1-1+deb8u1) jessie-security; urgency=high * Non-maintainer upload by the Security Team. * CVE-2016-4422: local root privilege escalation. Return PAM_AUTH_ERR when a system user. This prevents the pam module from returning success without asking for authentication credentials. Thanks to Vagrant Cascadian -- Salvatore Bonaccorso Wed, 04 May 2016 10:55:45 +0200 libpam-sshauth (0.3.1-1) unstable; urgency=low * New upstream version: - Fix segfault under KDM -- Vagrant Cascadian Tue, 26 Mar 2013 14:09:32 -0700 libpam-sshauth (0.3-1) experimental; urgency=low * New upstream version. - Switch to using libssh2. * Add Build-Depends on libssh2-1-dev and pkg-config, drop libssh-dev. * debian/rules: Install pam_sshauth.so into /lib//security/. -- Vagrant Cascadian Fri, 22 Mar 2013 12:31:56 -0700 libpam-sshauth (0.2-1) experimental; urgency=low * New upstream version. * Set debian/compat to 9, to enable hardening flags. * Bump Standards-Version to 3.9.4, no changes necessary. * Add Vcs-Browser and Vcs-Bzr to debian/control (Closes: #692637). -- Vagrant Cascadian Fri, 15 Feb 2013 11:48:57 -0800 libpam-sshauth (0.1-1) unstable; urgency=low * Initial release. -- Vagrant Cascadian Fri, 28 Oct 2011 20:26:42 -0400 debian/control0000664000000000000000000000137612712334617010610 0ustar Source: libpam-sshauth Section: admin Priority: extra Maintainer: LTSP Debian Maintainers Uploaders: Vagrant Cascadian Build-Depends: debhelper (>= 9), libssh2-1-dev, libpam0g-dev | libpam-dev, dh-autoreconf, pkg-config Standards-Version: 3.9.4 Vcs-Browser: https://bazaar.launchpad.net/~ltsp-upstream/ltsp/libpam-sshauth/files Vcs-Bzr: lp:~ltsp-upstream/ltsp/libpam-sshauth Package: libpam-sshauth Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends} Description: authenticate using an SSH server This package provides a simple PAM authentication mechanism using a remote SSH server. If the user is able to ssh to the server configured with libpam-sshauth, they're granted local access. debian/libpam-sshauth.docs0000664000000000000000000000000712712334617012766 0ustar README debian/patches/0000775000000000000000000000000012712334617010625 5ustar debian/patches/series0000664000000000000000000000004512712334617012041 0ustar return-pam-auth-err-with-system-user debian/patches/return-pam-auth-err-with-system-user0000664000000000000000000000170412712334617017640 0ustar Description: CVE-2016-4422: local root privilege escalation Return PAM_AUTH_ERR when a system user. This prevents the pam module from returning success without asking for authentication credentials! Origin: upstream, https://bazaar.launchpad.net/~ltsp-upstream/ltsp/libpam-sshauth/revision/114 Forwarded: not-needed Author: Vagrant Cascadian Last-Update: 2016-05-04 diff --git a/src/pam_sshauth.c b/src/pam_sshauth.c index 939ea79..879c9e5 100644 --- a/src/pam_sshauth.c +++ b/src/pam_sshauth.c @@ -101,7 +100,7 @@ pam_sm_authenticate (pam_handle_t * pamh, int flags, int argc, } /* - * Is it a system user? Succeed. + * Is it a system user? Fail. */ pam_debug (pamh, "username %s", username); @@ -110,7 +109,7 @@ pam_sm_authenticate (pam_handle_t * pamh, int flags, int argc, { if (pwent->pw_uid < UID_MIN) { - return PAM_SUCCESS; + return PAM_AUTH_ERR; } } debian/compat0000664000000000000000000000000212712334617010374 0ustar 9 debian/source/0000775000000000000000000000000012712334617010476 5ustar debian/source/format0000664000000000000000000000001412712334617011704 0ustar 3.0 (quilt)