bug-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: System password authentication


From: Brian Murphy
Subject: Re: System password authentication
Date: Sun, 13 Apr 2003 23:17:11 +0200
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020623 Debian/1.0.0-0.woody.1

<rant>
The code I commented on here is in the 1.11.5 release. The current development (and experimental) code is even more confusing. The check for a null "password" is moot at this point because it has already been passed to at least one function which
has passed it to crypt (without checking for nullness). I think code that
impliments security should be very simple - this code is not.
If my PAM patch is not going to be accepted then I would at least like the opportunity
to clean this up. I have already made some progress in the PAM patch but
I have not been as agressive with the clean up as this code deserves so that the
issues were seperated but I would enjoy doing it properly :-), hint, hint...
</rant>

/Brian

Brian Murphy wrote


   if (*found_passwd)
       {
       /* user exists and has a password */
       host_user = ((! strcmp (found_passwd,
                                   crypt (password, found_passwd)))
                        ? xstrdup (username) : NULL);
           goto handle_return;
       }
   else if (password && *password)
       {
       /* user exists and has no system password, but we got
          one as parameter */
       host_user = xstrdup (username);
           goto handle_return;
       }
   else
       {
       /* user exists but has no password at all */
       host_user = NULL;
           goto handle_return;
       }
   }

The "else if" here authenticates a user if she has supplied a (non blank)
password but the system password is blank, Why?







reply via email to

[Prev in Thread] Current Thread [Next in Thread]