Flaw in empty password authentication in sshd
Darren Moffat
Darren.Moffat at eng.sun.com
Sat Nov 10 06:57:10 EST 2001
>: This problem can be overcome if "pam_authenticate" is called with
>: "PAM_DISALLOW_NULL_AUTHTOK" flag if empty passwords are not permitted.
>:
>: A possible patch for the problem is given below:
>
>thanks. i propose the following. can some PAM experts comment on this?
>is this the correct way to fix this? i have tested on hp-ux 11.
>
>Index: auth-pam.c
>===================================================================
>RCS file: /var/cvs/openssh/auth-pam.c,v
>retrieving revision 1.40
>diff -u -r1.40 auth-pam.c
>--- auth-pam.c 2001/10/28 17:32:38 1.40
>+++ auth-pam.c 2001/11/09 19:36:41
>@@ -217,7 +217,8 @@
> __pampasswd = password;
>
> pamstate = INITIAL_LOGIN;
>- pam_retval = do_pam_authenticate(0);
>+ pam_retval = do_pam_authenticate(
>+ options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0);
> if (pam_retval == PAM_SUCCESS) {
> debug("PAM Password authentication accepted for "
> "user \"%.100s\"", pw->pw_name);
That is the correct thing to do.
--
Darren J Moffat
More information about the openssh-unix-dev
mailing list