Flaw in empty password authentication in sshd
Kevin Steves
stevesk at pobox.com
Sat Nov 10 06:43:48 EST 2001
On Wed, 7 Nov 2001 jayaraj at amritapuri.com wrote:
: >Fix:
: This problem can be overcome if "pam_authenticate" is called with
: "PAM_DISALLOW_NULL_AUTHTOK" flag if empty passwords are not permitted.
:
: A possible patch for the problem is given below:
thanks. i propose the following. can some PAM experts comment on this?
is this the correct way to fix this? i have tested on hp-ux 11.
Index: auth-pam.c
===================================================================
RCS file: /var/cvs/openssh/auth-pam.c,v
retrieving revision 1.40
diff -u -r1.40 auth-pam.c
--- auth-pam.c 2001/10/28 17:32:38 1.40
+++ auth-pam.c 2001/11/09 19:36:41
@@ -217,7 +217,8 @@
__pampasswd = password;
pamstate = INITIAL_LOGIN;
- pam_retval = do_pam_authenticate(0);
+ pam_retval = do_pam_authenticate(
+ options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0);
if (pam_retval == PAM_SUCCESS) {
debug("PAM Password authentication accepted for "
"user \"%.100s\"", pw->pw_name);
More information about the openssh-unix-dev
mailing list