[Bug 559] PAM fixes
Frank Cusack
fcusack at fcusack.com
Mon May 12 22:23:53 EST 2003
On Mon, May 12, 2003 at 05:47:16PM +1000, bugzilla-daemon at mindrot.org wrote:
> http://bugzilla.mindrot.org/show_bug.cgi?id=559
> ------- Additional Comments From djm at mindrot.org 2003-05-12 17:47 -------
>
> > - retval = (do_pam_authenticate(0) == PAM_SUCCESS);
> > + retval = (do_pam_authenticate(options.permit_empty_passwd == 0
> > + ? PAM_DISALLOW_NULL_AUTHTOK
> > + : 0) == PAM_SUCCESS);
>
> Is this still necessary with the CVS -current PAM code?
Yes, something like it is required, auth-pam.c:213 and 216.
It looks like if I do kbdint, and have a null password, I will be
authenticated regardless of the setting of permit_empty_password.
This is just from inspection, not actual testing, but it looks clear.
The only place options.permit_empty_password is checked is in
auth-passwd.c, which isn't in the code path for kbdint.
/fc
More information about the openssh-unix-dev
mailing list