[Bug 633] Password authentication fails in HP-UX trusted mode due to DISABLE_SHADOW

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sat Sep 6 01:17:56 EST 2003


http://bugzilla.mindrot.org/show_bug.cgi?id=633





------- Additional Comments From michael_steffens at hp.com  2003-09-06 01:17 -------
Hmm, how to guarantee this? But I would say, unless other platforms
get accidentally recognized as HP-UX by configure, or define the __hpux
macro, no platform but HP-UX can be affected by this change.

On HP-UX 10.20, 11.00, and 11.11 I have tested it with both trusted
and non-trusted mode, plus ShadowPassword on 11.11.

The possibility remains that OS patch levels might affect it, but it's
virtually impossible to test all possible configuration there...

Furthermore, using getspnam for this purpose is in line with its
specification, see getspent(3C).

Without ShadowPassword installed it states

      getspent() is only supported on trusted systems.

      The secured password facility is implemented without the use of the
      /etc/shadow file.  getspent(), getspnam(), setspent(), and endspent()
      read from the trusted system's protected password database
      (/tcb/files/auth/*/*) and not /etc/shadow.  The file /etc/shadow is
      not used in any way by the HP-UX login facility.

      These routines return a null pointer and sets ERRNO to ENOENT if the
      system has not been converted to trusted system.  In all other cases,
      the return value is set similarly to getprpwent().  See getprpwent(3)
      for more information.

      Programs using these routines must be compiled with -lsec.

On 11.11 with ShadowPassword installed it says

      If libsec patch PHCO_27038 or later is not installed, then getspent(),
      getspnam(), setspent() and endspent() are supported only on trusted
      systems; getspnam_r() and fgetspent() are not supported.  The secured
      password information is obtained from the Protected Password Database
      (/tcb/files/auth/*/*).

      If libsec patch PHCO_27038 or later is installed, then all of these
      functions are supported on standard systems, shadowed standard systems
      and trusted systems.  The one exception to this is that getspnam_r()
      is not supported on trusted systems.  On a standard system the secured
      password information is obtained from /etc/passwd.  If the system has
      been converted to a trusted system, then the secured password
      information is obtained from the Protected Password Database
      (/tcb/files/auth/*/*).  If the system has been converted to use shadow
      passwords, then the secured password information is obtained from
      /etc/shadow.  See shadow(4).

The patch referred to, PHCO_27038, however is part of the ShadowPassword
software bundle, thus can be assumed to be present.

Isn't this exactly the behaviour we want?



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.




More information about the openssh-bugs mailing list