Date: Mon, 26 Mar 2001 15:54:18 +0200 (CEST) From: voland@lflat.org To: FreeBSD-gnats-submit@freebsd.org Subject: bin/26093: pam_unix rejects authenticating accounts with empty passwords Message-ID: <20010326135418.0E2307CD0@lflat.org>
next in thread | raw e-mail | index | archive | help
>Number: 26093
>Category: bin
>Synopsis: pam_unix rejects authenticating accounts with empty passwords
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Mar 26 06:00:02 PST 2001
>Closed-Date:
>Last-Modified:
>Originator: Vadim Belman
>Release: FreeBSD 4.3-BETA i386
>Organization:
Mobilix A/S
>Environment:
System: FreeBSD lflat.org 4.3-BETA FreeBSD 4.3-BETA #5: Thu Mar 15 09:21:59 CET 2001 root@lflat.org:/opt/obj/opt/src/sys/LFLAT i386
>Description:
pam_unix rejects authenticating accounts where password field is
empty. This happens because the password it gets from a client gets
crypt'ed irrespectively of whether the password field obtained from the
master.passwd is empty or not.
>How-To-Repeat:
Create an account with empty password field in the master.passwd
file and try ssh'ing to the host if sshd uses PAM authentication.
>Fix:
The following patch fixes the problem:
--- pam_unix.c.orig Mon Mar 26 15:43:26 2001
+++ pam_unix.c Mon Mar 26 15:23:41 2001
@@ -69,8 +69,13 @@
return retval;
if ((pwd = getpwnam(user)) != NULL) {
encrypted = crypt(password, pwd->pw_passwd);
- if (password[0] == '\0' && pwd->pw_passwd[0] != '\0')
+ if (password[0] == '\0') {
+ if (pwd->pw_passwd[0] != '\0') {
encrypted = ":";
+ } else {
+ encrypted = "";
+ }
+ }
retval = strcmp(encrypted, pwd->pw_passwd) == 0 ?
PAM_SUCCESS : PAM_AUTH_ERR;
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010326135418.0E2307CD0>