Fix very rare but dangerous bug:

for some DES passwords crypt(real_password, salt) is equal to crypt("", salt); It means that this user (and not only he) can login without entering password at all, just pressing Return. So if empty password entered and crypted password is not empty, invalidate any crypt result by assigning ":"
author: ache <ache@FreeBSD.org> 1998-02-13 21:02:53 +0000
committer: ache <ache@FreeBSD.org> 1998-02-13 21:02:53 +0000
commit: 4b75e9fb5335225cbdd0f2ba89060ba92e151e35 (patch)
tree: cc97895f4435074b85c1769f422c85f417ae5010 /usr.bin/login
parent: 2d31a8b4c6376f39cc0db539ae3baf95656d5257 (diff)
download: FreeBSD-src-4b75e9fb5335225cbdd0f2ba89060ba92e151e35.zip
FreeBSD-src-4b75e9fb5335225cbdd0f2ba89060ba92e151e35.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/usr.bin/login/login.c b/usr.bin/login/login.c
index b4d0282..ae3618a 100644
--- a/usr.bin/login/login.c
+++ b/usr.bin/login/login.c
@@ -42,7 +42,7 @@ static char copyright[] =
 static char sccsid[] = "@(#)login.c	8.4 (Berkeley) 4/2/94";
 #endif
 static const char rcsid[] =
-	"$Id: login.c,v 1.30 1997/10/19 09:34:06 joerg Exp $";
+	"$Id: login.c,v 1.31 1998/02/05 18:37:02 guido Exp $";
 #endif /* not lint */
 
 /*
@@ -454,6 +454,8 @@ main(argc, argv)
 		(void)signal(SIGQUIT, SIG_IGN);
 
 		if (pwd) {
+			if (!p[0] && pwd->pw_passwd[0])
+				ep = ":";
 #ifdef KERBEROS
 #ifdef SKEY
 			/*
author	ache <ache@FreeBSD.org>	1998-02-13 21:02:53 +0000
committer	ache <ache@FreeBSD.org>	1998-02-13 21:02:53 +0000
commit	4b75e9fb5335225cbdd0f2ba89060ba92e151e35 (patch)
tree	cc97895f4435074b85c1769f422c85f417ae5010 /usr.bin/login
parent	2d31a8b4c6376f39cc0db539ae3baf95656d5257 (diff)
download	FreeBSD-src-4b75e9fb5335225cbdd0f2ba89060ba92e151e35.zip FreeBSD-src-4b75e9fb5335225cbdd0f2ba89060ba92e151e35.tar.gz