Fix checking password from /etc/passwd and /etc/shadow

Krzysztof Oledzki olemx at ans.pl
Thu Sep 25 04:43:25 EST 2003



On Wed, 24 Sep 2003, Ben Lindstrom wrote:

>
>
> On Wed, 24 Sep 2003, Krzysztof Oledzki wrote:
>
> >
> >
> > On Wed, 24 Sep 2003, Michael Steffens wrote:
> >
> > > Krzysztof Oledzki wrote:
> > > > Hello,
> > > >
> > > > This patch fix order of checking password in systems that contains
> > > > /etc/shadow file (Linux for example). The order is exactly like in
> > > > linux-shadow-password package. First is checked /etc/passwd but if
> > > > password field contains "x" then password is read from /etc/shadow
> > > > instead.
> > >
> > > What is wrong with the current approach of first checking /etc/shadow
> > > using getspnam, falling back to /etc/passwd if the first didn't return
> > > anything?
> > >
> > > Reversing that order and making the decision depend on a non-zero
> > > value returned from /etc/passwd ("x", "*", whatever?) looks like
> > > making it more complicated to me.
> >
> > If /etc/passwd contains:
> >
> > aqq::1001:100:Aqq:/home/aqq:/bin/bash
> >
> > and /etc/shadow:
> > aqq:!:12319:0:99999:7:::
> >
> > Then login allows to log this user with empty password but openssh not.
> >
>
> To me this is a bug in the Linux code.   /etc/shadow should take priority
> over /etc/password.

OK. This "bug" looks like this:

#ifdef SHADOWPWD
                spwd = NULL;
                if (pwd
                    && strcmp (pwd->pw_passwd,
                               SHADOW_PASSWD_STRING) == 0) {
                        spwd = getspnam (username);
                        if (spwd)
                                pwent.pw_passwd = spwd->sp_pwdp;
                        else
                                SYSLOG ((LOG_WARN,
                                         "no shadow password for `%s'%s",
                                         username, fromhost));
                }
#endif                          /* SHADOWPWD */


>  ALWAYS.
If you say so... ;-)


Best Regards,

				Krzysztof Olędzki




More information about the openssh-unix-dev mailing list