[Bug 559] PAM fixes
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Mon May 12 17:47:16 EST 2003
http://bugzilla.mindrot.org/show_bug.cgi?id=559
------- Additional Comments From djm at mindrot.org 2003-05-12 17:47 -------
Some comments:
> - setproctitle("%s%s", authctxt->pw ? user : "unknown",
> + setproctitle("%s%s", user,
> use_privsep ? " [net]" : "");
We deliberately hide the username in logs and on the process list to avoid
password disclosure in situations where the client has entered their password as
their username (it happens...)
> - PRIVSEP(start_pam(authctxt->pw == NULL ? "NOUSER" : user));
> + PRIVSEP(start_pam(user));
I am starting to change my mind that this may be correct. See Bug #117
> - PRIVSEP(start_pam("NOUSER"));
> + PRIVSEP(start_pam(user));
> + authenticated = -1; /* signal illegal user */
authctxt->valid = 0 should obviate the need for the authenticated = -1, no?
> + /*
> + * REDACTED
> + * REDACTED
> ...
What is this?
> - retval = (do_pam_authenticate(0) == PAM_SUCCESS);
> + retval = (do_pam_authenticate(options.permit_empty_passwd == 0
> + ? PAM_DISALLOW_NULL_AUTHTOK
> + : 0) == PAM_SUCCESS);
Is this still necessary with the CVS -current PAM code?
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-unix-dev
mailing list