Fix checking password from /etc/passwd and /etc/shadow

Ben Lindstrom mouring at etoh.eviladmin.org
Thu Sep 25 03:18:58 EST 2003



On Wed, 24 Sep 2003, Krzysztof Oledzki wrote:

>
>
> On Wed, 24 Sep 2003, Michael Steffens wrote:
>
> > Krzysztof Oledzki wrote:
> > > Hello,
> > >
> > > This patch fix order of checking password in systems that contains
> > > /etc/shadow file (Linux for example). The order is exactly like in
> > > linux-shadow-password package. First is checked /etc/passwd but if
> > > password field contains "x" then password is read from /etc/shadow
> > > instead.
> >
> > What is wrong with the current approach of first checking /etc/shadow
> > using getspnam, falling back to /etc/passwd if the first didn't return
> > anything?
> >
> > Reversing that order and making the decision depend on a non-zero
> > value returned from /etc/passwd ("x", "*", whatever?) looks like
> > making it more complicated to me.
>
> If /etc/passwd contains:
>
> aqq::1001:100:Aqq:/home/aqq:/bin/bash
>
> and /etc/shadow:
> aqq:!:12319:0:99999:7:::
>
> Then login allows to log this user with empty password but openssh not.
>

To me this is a bug in the Linux code.   /etc/shadow should take priority
over /etc/password.  ALWAYS.

- Ben




More information about the openssh-unix-dev mailing list