From owner-freebsd-audit Wed Nov 8 16: 4:40 2000 Delivered-To: freebsd-audit@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.66]) by hub.freebsd.org (Postfix) with ESMTP id 6C09037B479 for ; Wed, 8 Nov 2000 16:04:37 -0800 (PST) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.11.0/8.11.0) with ESMTP id eA904Pg16911 for ; Wed, 8 Nov 2000 17:04:26 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id RAA34374 for ; Wed, 8 Nov 2000 17:04:25 -0700 (MST) Message-Id: <200011090004.RAA34374@harmony.village.org> To: audit@freebsd.org Subject: Please review Date: Wed, 08 Nov 2000 17:04:25 -0700 From: Warner Losh Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I'd like to commit the following change to -current and eventually stable. It adds the -N flag which restores the old behavior wrt null passwords. Turns out that for a lot of reasons, we need this for our products. We don't want to trust other hosts, unless the account has no password. This is different than + + in subtle ways, and the user list is going to be volatile from machine to machine and over time. Warner Index: rshd.c =================================================================== RCS file: /base/FreeBSD-tsc-4/libexec/rshd/rshd.c,v retrieving revision 1.1.1.4 diff -u -r1.1.1.4 rshd.c --- rshd.c 2000/07/28 17:54:16 1.1.1.4 +++ rshd.c 2000/11/08 23:49:21 @@ -87,6 +87,7 @@ int keepalive = 1; int log_success; /* If TRUE, log all successful accesses */ +int no_null_password = 1; int sent_null; int no_delay; #ifdef CRYPT @@ -117,7 +118,7 @@ extern int auth_pam __P((char *)); #endif -#define OPTIONS "alnDL" +#define OPTIONS "alnDLN" int main(argc, argv) @@ -154,6 +155,9 @@ case 'L': log_success = 1; break; + case 'N': + no_null_password = 0; + break; case '?': default: usage(); @@ -399,8 +403,10 @@ if (errorstr || (pwd->pw_expire && time(NULL) >= pwd->pw_expire) || - iruserok_sa(fromp, fromp->su_len, pwd->pw_uid == 0, - remuser, locuser) < 0) { + ((no_null_password || + (pwd->pw_passwd != 0 && *pwd->pw_passwd != '\0')) && + iruserok_sa(fromp, fromp->su_len, pwd->pw_uid == 0, + remuser, locuser) < 0)) { if (__rcmd_errstr) syslog(LOG_INFO|LOG_AUTH, "%s@%s as %s: permission denied (%s). cmd='%.80s'", To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message