[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: System password authentication
From: |
Brian Murphy |
Subject: |
Re: System password authentication |
Date: |
Sun, 13 Apr 2003 23:17:11 +0200 |
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020623 Debian/1.0.0-0.woody.1 |
<rant>
The code I commented on here is in the 1.11.5 release. The current
development
(and experimental) code is even more confusing. The check for a null
"password"
is moot at this point because it has already been passed to at least one
function which
has passed it to crypt (without checking for nullness). I think code that
impliments security should be very simple - this code is not.
If my PAM patch is not going to be accepted then I would at least like
the opportunity
to clean this up. I have already made some progress in the PAM patch but
I have not been as agressive with the clean up as this code deserves so
that the
issues were seperated but I would enjoy doing it properly :-), hint, hint...
</rant>
/Brian
Brian Murphy wrote
if (*found_passwd)
{
/* user exists and has a password */
host_user = ((! strcmp (found_passwd,
crypt (password, found_passwd)))
? xstrdup (username) : NULL);
goto handle_return;
}
else if (password && *password)
{
/* user exists and has no system password, but we got
one as parameter */
host_user = xstrdup (username);
goto handle_return;
}
else
{
/* user exists but has no password at all */
host_user = NULL;
goto handle_return;
}
}
The "else if" here authenticates a user if she has supplied a (non blank)
password but the system password is blank, Why?