====================
* NEW: afpd: static generated AFP signature stored in afp_signature.conf,
cf man 5 afp_signature.conf
+* FIX: afpd: prevent security attack guessing valid server accounts. afpd
+ now returns error -5023 for unknown users, as does AppleFileServer.
Changes in 2.1-beta1
====================
/*
- * $Id: uams_dhx2_pam.c,v 1.11 2010-02-06 09:53:02 franklahm Exp $
+ * $Id: uams_dhx2_pam.c,v 1.12 2010-03-30 10:25:49 franklahm Exp $
*
* Copyright (c) 1990,1993 Regents of The University of Michigan.
* Copyright (c) 1999 Adrian Sun (asun@u.washington.edu)
{
if (( dhxpwd = uam_getname(obj, username, ulen)) == NULL ) {
LOG(log_info, logtype_uams, "DHX2: unknown username");
- return AFPERR_PARAM;
+ return AFPERR_NOTAUTH;
}
PAM_username = username;
/*
- * $Id: uams_dhx2_passwd.c,v 1.7 2010-02-06 09:53:02 franklahm Exp $
+ * $Id: uams_dhx2_passwd.c,v 1.8 2010-03-30 10:25:49 franklahm Exp $
*
* Copyright (c) 1990,1993 Regents of The University of Michigan.
* Copyright (c) 1999 Adrian Sun (asun@u.washington.edu)
{
if (( dhxpwd = uam_getname(obj, username, ulen)) == NULL ) {
LOG(log_info, logtype_uams, "DHX2: unknown username");
- return AFPERR_PARAM;
+ return AFPERR_NOTAUTH;
}
LOG(log_info, logtype_uams, "DHX2 login: %s", username);
/*
- * $Id: uams_dhx_pam.c,v 1.32 2009-11-05 14:38:07 franklahm Exp $
+ * $Id: uams_dhx_pam.c,v 1.33 2010-03-30 10:25:49 franklahm Exp $
*
* Copyright (c) 1990,1993 Regents of The University of Michigan.
* Copyright (c) 1999 Adrian Sun (asun@u.washington.edu)
{
if (( dhxpwd = uam_getname(obj, username, ulen)) == NULL ) {
LOG(log_info, logtype_uams, "uams_dhx_pam.c: unknown username");
- return AFPERR_PARAM;
+ return AFPERR_NOTAUTH;
}
PAM_username = username;
-/*
- * $Id: uams_dhx_passwd.c,v 1.27 2009-11-05 14:38:07 franklahm Exp $
+a/*
+ * $Id: uams_dhx_passwd.c,v 1.28 2010-03-30 10:25:49 franklahm Exp $
*
* Copyright (c) 1990,1993 Regents of The University of Michigan.
* Copyright (c) 1999 Adrian Sun (asun@u.washington.edu)
#endif /* TRU64 */
if (( dhxpwd = uam_getname(obj, username, ulen)) == NULL ) {
- return AFPERR_PARAM;
+ return AFPERR_NOTAUTH;
}
LOG(log_info, logtype_uams, "dhx login: %s", username);
/*
- * $Id: uams_gss.c,v 1.11 2010-02-15 12:00:36 franklahm Exp $
+ * $Id: uams_gss.c,v 1.12 2010-03-30 10:25:49 franklahm Exp $
*
* Copyright (c) 1990,1993 Regents of The University of Michigan.
* Copyright (c) 1999 Adrian Sun (asun@u.washington.edu)
encoding is the gssapi name in? */
if((pwd = uam_getname( obj, username, userlen )) == NULL) {
LOG(log_info, logtype_uams, "uam_getname() failed for %s", username);
- return AFPERR_PARAM;
+ return AFPERR_NOTAUTH;
}
if (uam_checkuser(pwd) < 0) {
LOG(log_info, logtype_uams, "%s not a valid user", username);
/*
- * $Id: uams_pam.c,v 1.23 2009-11-08 01:07:17 didg Exp $
+ * $Id: uams_pam.c,v 1.24 2010-03-30 10:25:49 franklahm Exp $
*
* Copyright (c) 1990,1993 Regents of The University of Michigan.
* Copyright (c) 1999 Adrian Sun (asun@u.washington.edu)
ibuf[ PASSWDLEN ] = '\0';
if (( pwd = uam_getname(obj, username, ulen)) == NULL ) {
- return AFPERR_PARAM;
+ return AFPERR_NOTAUTH;
}
LOG(log_info, logtype_uams, "cleartext login: %s", username);
/*
- * $Id: uams_passwd.c,v 1.29 2009-11-08 01:07:17 didg Exp $
+ * $Id: uams_passwd.c,v 1.30 2010-03-30 10:25:49 franklahm Exp $
*
* Copyright (c) 1990,1993 Regents of The University of Michigan.
* Copyright (c) 1999 Adrian Sun (asun@u.washington.edu)
ibuf[ PASSWDLEN ] = '\0';
if (( pwd = uam_getname(obj, username, ulen)) == NULL ) {
- return AFPERR_PARAM;
+ return AFPERR_NOTAUTH
}
LOG(log_info, logtype_uams, "cleartext login: %s", username);
/*
- * $Id: uams_randnum.c,v 1.20 2009-10-22 13:40:11 franklahm Exp $
+ * $Id: uams_randnum.c,v 1.21 2010-03-30 10:25:49 franklahm Exp $
*
* Copyright (c) 1990,1993 Regents of The University of Michigan.
* Copyright (c) 1999 Adrian Sun (asun@u.washington.edu)
int err;
if (( randpwd = uam_getname(obj, username, ulen)) == NULL )
- return AFPERR_PARAM; /* unknown user */
+ return AFPERR_NOTAUTH; /* unknown user */
LOG(log_info, logtype_uams, "randnum/rand2num login: %s", username);
if (uam_checkuser(randpwd) < 0)