diff options
author | nsayer <nsayer@FreeBSD.org> | 2001-05-15 04:47:14 +0000 |
---|---|---|
committer | nsayer <nsayer@FreeBSD.org> | 2001-05-15 04:47:14 +0000 |
commit | 2bdf180df8cc9444b255a01377516bec3cd373bd (patch) | |
tree | a67c5c3dde5e2cfce4983f707b972a6992665544 /crypto/telnet | |
parent | d65d64c98705b1862b5b73b62d801063d2537e5e (diff) | |
download | FreeBSD-src-2bdf180df8cc9444b255a01377516bec3cd373bd.zip FreeBSD-src-2bdf180df8cc9444b255a01377516bec3cd373bd.tar.gz |
If the uid of the attempted authentication is 0 and if the pty is
insecure, do not succeed. Copied from login.c. This functionality really
should be a PAM module.
Diffstat (limited to 'crypto/telnet')
-rw-r--r-- | crypto/telnet/libtelnet/sra.c | 35 |
1 files changed, 34 insertions, 1 deletions
diff --git a/crypto/telnet/libtelnet/sra.c b/crypto/telnet/libtelnet/sra.c index 9274f88..395f217 100644 --- a/crypto/telnet/libtelnet/sra.c +++ b/crypto/telnet/libtelnet/sra.c @@ -17,6 +17,8 @@ #include <security/pam_appl.h> #endif +#include <ttyent.h> + #include "auth.h" #include "misc.h" #include "encrypt.h" @@ -28,6 +30,8 @@ DesData ck; IdeaData ik; extern int auth_debug_mode; +extern char *line; + static sra_valid = 0; static passwd_sent = 0; @@ -451,6 +455,26 @@ syslog(LOG_WARNING,"%s\n",save.pw_dir); return (&save); } +static int +isroot(user) +char *user; +{ + struct passwd *pw; + + if ((pw=getpwnam(user))==NULL) + return 0; + return (!pw->pw_uid); +} + +static int +rootterm(ttyn) +char *ttyn; +{ + struct ttyent *t; + + return ((t = getttynam(ttyn)) && t->ty_status & TTY_SECURE); +} + #ifdef NOPAM char *crypt(); @@ -461,6 +485,12 @@ char *pass; register char *cp; char *xpasswd, *salt; + if (isroot(name) && !rootterm(line)) + { + crypt("AA","*"); /* Waste some time to simulate success */ + return(0); + } + if (pw = sgetpwnam(name)) { if (pw->pw_shell == NULL) { pw = (struct passwd *) NULL; @@ -585,7 +615,10 @@ int check_user(const char *name, const char *pass) } else syslog(LOG_ERR, "Couldn't get PAM_USER: %s", pam_strerror(pamh, e)); - rval = 1; + if (isroot(user) && !rootterm(line)) + rval = 0; + else + rval = 1; break; case PAM_AUTH_ERR: |