[Bug 559] PAM fixes

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Mon May 12 17:47:16 EST 2003


http://bugzilla.mindrot.org/show_bug.cgi?id=559





------- Additional Comments From djm at mindrot.org  2003-05-12 17:47 -------
Some comments:

> -	setproctitle("%s%s", authctxt->pw ? user : "unknown",
> +	setproctitle("%s%s", user,
>  	    use_privsep ? " [net]" : "");

We deliberately hide the username in logs and on the process list to avoid
password disclosure in situations where the client has entered their password as
their username (it happens...)

> -	PRIVSEP(start_pam(authctxt->pw == NULL ? "NOUSER" : user));
> +	PRIVSEP(start_pam(user));

I am starting to change my mind that this may be correct. See Bug #117

> -			PRIVSEP(start_pam("NOUSER"));
> +			PRIVSEP(start_pam(user));
> +			authenticated = -1;	/* signal illegal user */

authctxt->valid = 0 should obviate the need for the authenticated = -1, no?

> +	/*
> +	 * REDACTED
> +	 * REDACTED
> ...

What is this?

> -	retval = (do_pam_authenticate(0) == PAM_SUCCESS);
> +	retval = (do_pam_authenticate(options.permit_empty_passwd == 0
> +				      ? PAM_DISALLOW_NULL_AUTHTOK
> +				      : 0) == PAM_SUCCESS);

Is this still necessary with the CVS -current PAM code?





------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.




More information about the openssh-unix-dev mailing list