Locked account checks and PAM
Darren Tucker
dtucker at zip.com.au
Tue Aug 26 10:50:30 EST 2003
Hi All.
I (actually the tinderbox[1]) found a problem with the fix for bug #422:
when PAM is enabled on a platform that uses /etc/shadow, the variable
"passwd" in auth.c is used uninitialized.
There's a simple patch attached to fix this.
The question is: should the locked account test be done when PAM is
enabled or should we rely on PAM to do the right thing? In theory they
should behave the same way, but ISTR that in some patchlevels of Solaris
PAM did not check for this.
[1] http://dodgynet.dyndns.org/tinderbox/OpenSSH_Portable/status.html
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
-------------- next part --------------
Index: auth.c
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth.c,v
retrieving revision 1.75
diff -u -p -r1.75 auth.c
--- auth.c 25 Aug 2003 01:51:19 -0000 1.75
+++ auth.c 25 Aug 2003 13:56:25 -0000
@@ -73,7 +73,7 @@ int
allowed_user(struct passwd * pw)
{
struct stat st;
- const char *hostname = NULL, *ipaddr = NULL, *passwd;
+ const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL;
char *shell;
int i;
#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
@@ -85,8 +85,7 @@ allowed_user(struct passwd * pw)
return 0;
#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
- if (!options.use_pam)
- spw = getspnam(pw->pw_name);
+ spw = getspnam(pw->pw_name);
#ifdef HAS_SHADOW_EXPIRE
#define DAY (24L * 60 * 60) /* 1 day in seconds */
if (!options.use_pam && spw != NULL) {
More information about the openssh-unix-dev
mailing list