4 files changed, 35 insertions, 3 deletions

diff --git a/crypto/openssh/auth-chall.c b/crypto/openssh/auth-chall.c
index b9c2efd9b6d9..1daa1441887d 100644
--- a/crypto/openssh/auth-chall.c
+++ b/crypto/openssh/auth-chall.c
@@ -99,3 +99,11 @@ verify_response(Authctxt *authctxt, const char *response)
 	authctxt->kbdintctxt = NULL;
 	return res ? 0 : 1;
 }
+void
+abandon_challenge_response(Authctxt *authctxt)
+{
+	if (authctxt->kbdintctxt != NULL) {
+		device->free_ctx(authctxt->kbdintctxt);
+		authctxt->kbdintctxt = NULL;
+	}
+}
diff --git a/crypto/openssh/auth.h b/crypto/openssh/auth.h
index 79ce4206c137..4e19ee47d82b 100644
--- a/crypto/openssh/auth.h
+++ b/crypto/openssh/auth.h
@@ -160,6 +160,7 @@ struct passwd * getpwnamallow(const char *user);
 
 char	*get_challenge(Authctxt *);
 int	verify_response(Authctxt *, const char *);
+void	abandon_challenge_response(Authctxt *);
 
 struct passwd * auth_get_user(void);
 
diff --git a/crypto/openssh/auth1.c b/crypto/openssh/auth1.c
index f88dcc9aec5b..a13f61011abb 100644
--- a/crypto/openssh/auth1.c
+++ b/crypto/openssh/auth1.c
@@ -74,7 +74,7 @@ do_authloop(Authctxt *authctxt)
 	char info[1024];
 	u_int dlen;
 	u_int ulen;
-	int type = 0;
+	int prev, type = 0;
 	struct passwd *pw = authctxt->pw;
 
 	debug("Attempting authentication for %s%.100s.",
@@ -104,8 +104,20 @@ do_authloop(Authctxt *authctxt)
 		info[0] = '\0';
 
 		/* Get a packet from the client. */
+		prev = type;
 		type = packet_read();
 
+		/*
+		 * If we started challenge-response authentication but the
+		 * next packet is not a response to our challenge, release
+		 * the resources allocated by get_challenge() (which would
+		 * normally have been released by verify_response() had we
+		 * received such a response)
+		 */
+		if (prev == SSH_CMSG_AUTH_TIS &&
+		    type != SSH_CMSG_AUTH_TIS_RESPONSE)
+			abandon_challenge_response(authctxt);
+
 		/* Process the packet. */
 		switch (type) {
 
diff --git a/crypto/openssh/auth2-pam-freebsd.c b/crypto/openssh/auth2-pam-freebsd.c
index e62b232b1c4f..234a67e3fddd 100644
--- a/crypto/openssh/auth2-pam-freebsd.c
+++ b/crypto/openssh/auth2-pam-freebsd.c
@@ -187,6 +187,14 @@ pam_thread(void *ctxtp)
 	Buffer buffer;
 	struct pam_conv pam_conv = { pam_thread_conv, ctxt };
 
+#ifndef USE_POSIX_THREADS
+	{
+		const char *pam_user;
+
+		pam_get_item(pam_handle, PAM_USER, (const void **)&pam_user);
+		setproctitle("%s [pam]", pam_user);
+	}
+#endif
 	buffer_init(&buffer);
 	pam_err = pam_set_item(pam_handle, PAM_CONV, (const void *)&pam_conv);
 	if (pam_err != PAM_SUCCESS)
@@ -195,10 +203,10 @@ pam_thread(void *ctxtp)
 	if (pam_err != PAM_SUCCESS)
 		goto auth_fail;
 	pam_err = pam_acct_mgmt(pam_handle, 0);
-	if (pam_err != PAM_SUCCESS)
+	if (pam_err != PAM_SUCCESS && pam_err != PAM_NEW_AUTHTOK_REQD)
 		goto auth_fail;
 	buffer_put_cstring(&buffer, "OK");
-	ssh_msg_send(ctxt->pam_csock, PAM_SUCCESS, &buffer);
+	ssh_msg_send(ctxt->pam_csock, pam_err, &buffer);
 	buffer_free(&buffer);
 	pthread_exit(NULL);
  auth_fail:
@@ -356,6 +364,9 @@ pam_query(void *ctx, char **name, char **info,
 			plen += sprintf(**prompts + plen, "%s", msg);
 			xfree(msg);
 			break;
+		case PAM_NEW_AUTHTOK_REQD:
+			pam_new_authtok_reqd = 1;
+			/* FALLTHROUGH */
 		case PAM_SUCCESS:
 		case PAM_AUTH_ERR:
 			if (**prompts != NULL) {