[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: System password authentication
|
From: |
Brian Murphy |
|
Subject: |
Re: System password authentication |
|
Date: |
Tue, 15 Apr 2003 09:40:36 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020623 Debian/1.0.0-0.woody.1 |
Mike Ayers wrote:
This peanut would like a pointer to the rest of this thread, please, as
I would like to be sure of what we're discussing here.
Line 5654 and on of src/server.c (trunk) goes like this:
if (password && *password)
{
/* user exists and has no system password, but we got
one as parameter */
host_user = xstrdup (username);
goto handle_return;
}
This check is in the section where the user has a blank system password,
the password variable is the password recieved from the user via pserver.
This check then says if the user has a blank system password then any
non blank password will authenticate her. Probably this test should be
removed and the user should be authenticated with any password, even
a blank one. As an alternative the user could be refused entry with a blank
system password, this would also increase security and there shouldn't
be too many people relying on this feature.
/Brian
- Re: System password authentication,
Brian Murphy <=