summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--etc/pam.d/ftpd6
-rw-r--r--etc/pam.d/login3
-rw-r--r--etc/pam.d/su2
-rw-r--r--libexec/ftpd/ftpd.c19
4 files changed, 17 insertions, 13 deletions
diff --git a/etc/pam.d/ftpd b/etc/pam.d/ftpd
index d32016e..471b67b 100644
--- a/etc/pam.d/ftpd
+++ b/etc/pam.d/ftpd
@@ -9,8 +9,10 @@ auth required pam_nologin.so no_warn
#auth sufficient pam_kerberosIV.so no_warn
#auth sufficient pam_krb5.so no_warn
#auth sufficient pam_ssh.so no_warn try_first_pass
-#auth sufficient pam_opie.so no_warn
-auth required pam_unix.so no_warn try_first_pass
+# Uncomment either pam_opie or pam_unix, but not both of them.
+# pam_unix can't be simple chained with pam_opie, ftpd provides proper fallback
+auth required pam_opie.so no_warn
+#auth required pam_unix.so no_warn try_first_pass
# account
#account required pam_kerberosIV.so
diff --git a/etc/pam.d/login b/etc/pam.d/login
index cecaf13..ab7046b 100644
--- a/etc/pam.d/login
+++ b/etc/pam.d/login
@@ -6,10 +6,10 @@
# auth
auth required pam_nologin.so no_warn
+#auth sufficient pam_opie.so no_warn
#auth sufficient pam_kerberosIV.so no_warn try_first_pass
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth required pam_ssh.so no_warn try_first_pass
-#auth sufficient pam_opie.so no_warn
auth required pam_unix.so no_warn try_first_pass
# account
@@ -24,6 +24,7 @@ account required pam_unix.so
session required pam_unix.so
# password
+#password sufficient pam_opie.so no_warn
#password sufficient pam_kerberosIV.so no_warn try_first_pass
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
diff --git a/etc/pam.d/su b/etc/pam.d/su
index e7f6192..8e3a9bc 100644
--- a/etc/pam.d/su
+++ b/etc/pam.d/su
@@ -9,8 +9,8 @@ auth sufficient pam_rootok.so no_warn
auth requisite pam_wheel.so no_warn auth_as_self noroot_ok
#auth sufficient pam_kerberosIV.so no_warn
#auth sufficient pam_krb5.so no_warn try_first_pass auth_as_self
+#auth required pam_opie.so no_warn
#auth required pam_ssh.so no_warn try_first_pass
-#auth sufficient pam_opie.so no_warn
auth required pam_unix.so no_warn try_first_pass nullok
#auth sufficient pam_rootok.so no_warn
##auth sufficient pam_kerberosIV.so no_warn
diff --git a/libexec/ftpd/ftpd.c b/libexec/ftpd/ftpd.c
index 287436a..e421142 100644
--- a/libexec/ftpd/ftpd.c
+++ b/libexec/ftpd/ftpd.c
@@ -1251,23 +1251,24 @@ pass(passwd)
}
#ifdef USE_PAM
rval = auth_pam(&pw, passwd);
- if (rval >= 0) {
- opieunlock();
+ opieunlock(); /* XXX */
+ if (rval == 0 || (!pwok && rval > 0))
goto skip;
- }
-#endif
+ xpasswd = crypt(passwd, pw->pw_passwd);
+#else /* !USE_PAM */
if (opieverify(&opiedata, passwd) == 0)
xpasswd = pw->pw_passwd;
- else if (pwok) {
+ else if (pwok)
xpasswd = crypt(passwd, pw->pw_passwd);
- if (passwd[0] == '\0' && pw->pw_passwd[0] != '\0')
- xpasswd = ":";
- } else {
+ else {
rval = 1;
goto skip;
}
+#endif /* !USE_PAM */
rval = strcmp(pw->pw_passwd, xpasswd);
- if (pw->pw_expire && time(NULL) >= pw->pw_expire)
+ /* The strcmp does not catch null passwords! */
+ if (*pw->pw_passwd == '\0' ||
+ (pw->pw_expire && time(NULL) >= pw->pw_expire))
rval = 1; /* failure */
skip:
/*
OpenPOWER on IntegriCloud