Fix checking password from /etc/passwd and /etc/shadow

Krzysztof Oledzki olemx at ans.pl
Thu Sep 25 01:26:03 EST 2003



On Wed, 24 Sep 2003, Michael Steffens wrote:

> Krzysztof Oledzki wrote:
> > Hello,
> >
> > This patch fix order of checking password in systems that contains
> > /etc/shadow file (Linux for example). The order is exactly like in
> > linux-shadow-password package. First is checked /etc/passwd but if
> > password field contains "x" then password is read from /etc/shadow
> > instead.
>
> What is wrong with the current approach of first checking /etc/shadow
> using getspnam, falling back to /etc/passwd if the first didn't return
> anything?
>
> Reversing that order and making the decision depend on a non-zero
> value returned from /etc/passwd ("x", "*", whatever?) looks like
> making it more complicated to me.

If /etc/passwd contains:

aqq::1001:100:Aqq:/home/aqq:/bin/bash

and /etc/shadow:
aqq:!:12319:0:99999:7:::

Then login allows to log this user with empty password but openssh not.

Best Regards,

			Krzysztof Olędzki




More information about the openssh-unix-dev mailing list