Fix very rare but dangerous bug:
for some DES passwords
crypt(real_password, salt)
is equal to
crypt("", salt);
It means that this user (and not only he) can login without
entering password at all, just pressing Return.
So if empty password entered and crypted password is not empty,
invalidate any crypt result by assigning ":"
This commit is contained in:
@@ -42,7 +42,7 @@ static char copyright[] =
|
||||
static char sccsid[] = "@(#)login.c 8.4 (Berkeley) 4/2/94";
|
||||
#endif
|
||||
static const char rcsid[] =
|
||||
"$Id: login.c,v 1.30 1997/10/19 09:34:06 joerg Exp $";
|
||||
"$Id: login.c,v 1.31 1998/02/05 18:37:02 guido Exp $";
|
||||
#endif /* not lint */
|
||||
|
||||
/*
|
||||
@@ -454,6 +454,8 @@ main(argc, argv)
|
||||
(void)signal(SIGQUIT, SIG_IGN);
|
||||
|
||||
if (pwd) {
|
||||
if (!p[0] && pwd->pw_passwd[0])
|
||||
ep = ":";
|
||||
#ifdef KERBEROS
|
||||
#ifdef SKEY
|
||||
/*
|
||||
|
||||
Reference in New Issue
Block a user