diff options
author | ache <ache@FreeBSD.org> | 1998-02-13 21:02:53 +0000 |
---|---|---|
committer | ache <ache@FreeBSD.org> | 1998-02-13 21:02:53 +0000 |
commit | 4b75e9fb5335225cbdd0f2ba89060ba92e151e35 (patch) | |
tree | cc97895f4435074b85c1769f422c85f417ae5010 /usr.bin | |
parent | 2d31a8b4c6376f39cc0db539ae3baf95656d5257 (diff) | |
download | FreeBSD-src-4b75e9fb5335225cbdd0f2ba89060ba92e151e35.zip FreeBSD-src-4b75e9fb5335225cbdd0f2ba89060ba92e151e35.tar.gz |
Fix very rare but dangerous bug:
for some DES passwords
crypt(real_password, salt)
is equal to
crypt("", salt);
It means that this user (and not only he) can login without
entering password at all, just pressing Return.
So if empty password entered and crypted password is not empty,
invalidate any crypt result by assigning ":"
Diffstat (limited to 'usr.bin')
-rw-r--r-- | usr.bin/login/login.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/usr.bin/login/login.c b/usr.bin/login/login.c index b4d0282..ae3618a 100644 --- a/usr.bin/login/login.c +++ b/usr.bin/login/login.c @@ -42,7 +42,7 @@ static char copyright[] = static char sccsid[] = "@(#)login.c 8.4 (Berkeley) 4/2/94"; #endif static const char rcsid[] = - "$Id: login.c,v 1.30 1997/10/19 09:34:06 joerg Exp $"; + "$Id: login.c,v 1.31 1998/02/05 18:37:02 guido Exp $"; #endif /* not lint */ /* @@ -454,6 +454,8 @@ main(argc, argv) (void)signal(SIGQUIT, SIG_IGN); if (pwd) { + if (!p[0] && pwd->pw_passwd[0]) + ep = ":"; #ifdef KERBEROS #ifdef SKEY /* |