[openssh-commits] [openssh] 01/01: Search users for one with a valid salt.

git+noreply at mindrot.org git+noreply at mindrot.org
Thu Jul 21 14:20:46 AEST 2016


This is an automated email from the git hooks/post-receive script.

dtucker pushed a commit to branch master
in repository openssh.

commit dbf788b4d9d9490a5fff08a7b09888272bb10fcc
Author: Darren Tucker <dtucker at zip.com.au>
Date:   Thu Jul 21 14:17:31 2016 +1000

    Search users for one with a valid salt.
    
    If the root account is locked (eg password "!!" or "*LK*") keep looking
    until we find a user with a valid salt to use for crypting passwords of
    invalid users.  ok djm@
---
 openbsd-compat/xcrypt.c | 24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

diff --git a/openbsd-compat/xcrypt.c b/openbsd-compat/xcrypt.c
index 8913bb8..cf6a9b9 100644
--- a/openbsd-compat/xcrypt.c
+++ b/openbsd-compat/xcrypt.c
@@ -65,7 +65,9 @@
 
 /*
  * Pick an appropriate password encryption type and salt for the running
- * system.
+ * system by searching through accounts until we find one that has a valid
+ * salt.  Usually this will be root unless the root account is locked out.
+ * If we don't find one we return a traditional DES-based salt.
  */
 static const char *
 pick_salt(void)
@@ -78,14 +80,18 @@ pick_salt(void)
 	if (salt[0] != '\0')
 		return salt;
 	strlcpy(salt, "xx", sizeof(salt));
-	if ((pw = getpwuid(0)) == NULL)
-		return salt;
-	passwd = shadow_pw(pw);
-	if (passwd[0] != '$' || (p = strrchr(passwd + 1, '$')) == NULL)
-		return salt;  /* no $, DES */
-	typelen = p - passwd + 1;
-	strlcpy(salt, passwd, MIN(typelen, sizeof(salt)));
-	explicit_bzero(passwd, strlen(passwd));
+	setpwent();
+	while ((pw = getpwent()) != NULL) {
+		passwd = shadow_pw(pw);
+		if (passwd[0] == '$' && (p = strrchr(passwd+1, '$')) != NULL) {
+			typelen = p - passwd + 1;
+			strlcpy(salt, passwd, MIN(typelen, sizeof(salt)));
+			explicit_bzero(passwd, strlen(passwd));
+			goto out;
+		}
+	}
+ out:
+	endpwent();
 	return salt;
 }
 

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list