Honour skey.access(5) by allowing UNIX passwords when skeyaccess(3)

has set pwok to a non-zero value.

Previously, the fact that skey.access(5) allowed UNIX passwords for
this connection attempt was ignored, even in the NOPAM case.

This only addresses the NOPAM case; when libpam is used, the problem
will persist.

PR:		20333

1 files changed, 10 insertions, 4 deletions

diff --git a/libexec/ftpd/ftpd.c b/libexec/ftpd/ftpd.c
index 6c65028..0471c22 100644
--- a/libexec/ftpd/ftpd.c
+++ b/libexec/ftpd/ftpd.c
@@ -1188,11 +1188,14 @@ pass(passwd)
 			goto skip;
 #endif
 #ifdef SKEY
-		rval = strcmp(skey_crypt(passwd, pw->pw_passwd, pw, pwok),
-			      pw->pw_passwd);
-		pwok = 0;
+		if (pwok)
+			rval = strcmp(pw->pw_passwd,
+			    crypt(passwd, pw->pw_passwd));
+		if (rval)
+			rval = strcmp(pw->pw_passwd,
+			    skey_crypt(passwd, pw->pw_passwd, pw, pwok));
 #else
-		rval = strcmp(crypt(passwd, pw->pw_passwd), pw->pw_passwd);
+		rval = strcmp(pw->pw_passwd, crypt(passwd, pw->pw_passwd));
 #endif
 		/* The strcmp does not catch null passwords! */
 		if (*pw->pw_passwd == '\0' ||
@@ -1220,6 +1223,9 @@ skip:
 			return;
 		}
 	}
+#ifdef SKEY
+	pwok = 0;
+#endif
 	login_attempts = 0;		/* this time successful */
 	if (setegid((gid_t)pw->pw_gid) < 0) {
 		reply(550, "Can't set gid.");