[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: System password authentication

From: Brian Murphy
Subject: Re: System password authentication
Date: Tue, 15 Apr 2003 09:40:36 +0200
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020623 Debian/1.0.0-0.woody.1

Mike Ayers wrote:

        This peanut would like a pointer to the rest of this thread, please, as 
I would like to be sure of what we're discussing here.

Line 5654 and on of src/server.c (trunk) goes like this:

   if (password && *password)
   /* user exists and has no system password, but we got
      one as parameter */
   host_user = xstrdup (username);
   goto handle_return;

This check is in the section where the user has a blank system password,
the password variable is the password recieved from the user via pserver.

This check then says if the user has a blank system password then any
non blank password will authenticate her. Probably this test should be
removed and the user should be authenticated with any password, even
a blank one. As an alternative the user could be refused entry with a blank
system password, this would also increase security and there shouldn't
be too many people relying on this feature.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]