[Bug 559] PAM fixes
Frank Cusack
fcusack at fcusack.com
Mon May 12 21:02:54 EST 2003
On Mon, May 12, 2003 at 05:47:16PM +1000, bugzilla-daemon at mindrot.org wrote:
> ------- Additional Comments From djm at mindrot.org 2003-05-12 17:47 -------
> Some comments:
>
> > - setproctitle("%s%s", authctxt->pw ? user : "unknown",
> > + setproctitle("%s%s", user,
> > use_privsep ? " [net]" : "");
>
> We deliberately hide the username in logs and on the process list to avoid
> password disclosure in situations where the client has entered their password as
> their username (it happens...)
good point.
> > - PRIVSEP(start_pam("NOUSER"));
> > + PRIVSEP(start_pam(user));
> > + authenticated = -1; /* signal illegal user */
>
> authctxt->valid = 0 should obviate the need for the authenticated = -1, no?
yes, that will work, and is better.
> > + /*
> > + * REDACTED
> > + * REDACTED
> > ...
>
> What is this?
A long comment of significance to my site. You don't want to see it. :-)
> > - retval = (do_pam_authenticate(0) == PAM_SUCCESS);
> > + retval = (do_pam_authenticate(options.permit_empty_passwd == 0
> > + ? PAM_DISALLOW_NULL_AUTHTOK
> > + : 0) == PAM_SUCCESS);
>
> Is this still necessary with the CVS -current PAM code?
anoncvs.be.openbsd.org is down, so I can't tell.
Thanks for taking a look.
/fc
More information about the openssh-unix-dev
mailing list