diff options
author | Todd C. Miller <millert@cvs.openbsd.org> | 2002-03-16 19:15:13 +0000 |
---|---|---|
committer | Todd C. Miller <millert@cvs.openbsd.org> | 2002-03-16 19:15:13 +0000 |
commit | 4a44b12ecfb6f14ee3216ef3403d2141cd58dc95 (patch) | |
tree | d0aab31c1b7b7fde7f4c665826161b044a9979ab | |
parent | 966c9f19968896b7cf7c2543c61618c68b39c4f4 (diff) |
o Don't allow password-less accounts to login (like in 2.9 and below)
o Stash copy of struct passwd via auth_setpwd() to avoid extra needless
getpwnam() calls.
-rw-r--r-- | libexec/ftpd/ftpd.8 | 6 | ||||
-rw-r--r-- | libexec/ftpd/ftpd.c | 12 |
2 files changed, 12 insertions, 6 deletions
diff --git a/libexec/ftpd/ftpd.8 b/libexec/ftpd/ftpd.8 index 227571f02dd..19810f60c18 100644 --- a/libexec/ftpd/ftpd.8 +++ b/libexec/ftpd/ftpd.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ftpd.8,v 1.48 2001/11/22 16:19:48 mpech Exp $ +.\" $OpenBSD: ftpd.8,v 1.49 2002/03/16 19:15:12 millert Exp $ .\" $NetBSD: ftpd.8,v 1.8 1996/01/14 20:55:23 thorpej Exp $ .\" .\" Copyright (c) 1985, 1988, 1991, 1993 @@ -294,7 +294,9 @@ authenticates users according to five rules. .Pp .Bl -enum -offset indent .It -The login name must be in the password database. +The login name must be in the password database and not have a null password. +In this case a password must be provided by the client before any +file operations may be performed. .It The login name must not appear in the file .Pa /etc/ftpusers . diff --git a/libexec/ftpd/ftpd.c b/libexec/ftpd/ftpd.c index 0674f125cb4..0cfdd4b6cf5 100644 --- a/libexec/ftpd/ftpd.c +++ b/libexec/ftpd/ftpd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ftpd.c,v 1.123 2002/03/12 02:22:33 millert Exp $ */ +/* $OpenBSD: ftpd.c,v 1.124 2002/03/16 19:15:12 millert Exp $ */ /* $NetBSD: ftpd.c,v 1.15 1995/06/03 22:46:47 mycroft Exp $ */ /* @@ -73,7 +73,7 @@ static char copyright[] = #if 0 static char sccsid[] = "@(#)ftpd.c 8.4 (Berkeley) 4/16/94"; #else -static char rcsid[] = "$OpenBSD: ftpd.c,v 1.123 2002/03/12 02:22:33 millert Exp $"; +static char rcsid[] = "$OpenBSD: ftpd.c,v 1.124 2002/03/16 19:15:12 millert Exp $"; #endif #endif /* not lint */ @@ -97,6 +97,7 @@ static char rcsid[] = "$OpenBSD: ftpd.c,v 1.123 2002/03/12 02:22:33 millert Exp #include <arpa/inet.h> #include <arpa/telnet.h> +#include <bsd_auth.h> #include <ctype.h> #include <dirent.h> #include <err.h> @@ -118,7 +119,6 @@ static char rcsid[] = "$OpenBSD: ftpd.c,v 1.123 2002/03/12 02:22:33 millert Exp #include <unistd.h> #include <util.h> #include <utmp.h> -#include <bsd_auth.h> #if defined(TCPWRAPPERS) #include <tcpd.h> @@ -720,6 +720,7 @@ user(name) askpasswd = 1; lc = login_getclass(pw->pw_class); if ((as = auth_open()) == NULL || + auth_setpwd(as, pw) != 0 || auth_setoption(as, "FTPD_HOST", host) < 0) { if (as) { auth_close(as); @@ -762,6 +763,7 @@ user(name) /* Do pre-authentication setup. */ if (lc && ((as = auth_open()) == NULL || + (pw != NULL && auth_setpwd(as, pw) != 0) || auth_setitem(as, AUTHV_STYLE, style) < 0 || auth_setitem(as, AUTHV_NAME, name) < 0 || auth_setitem(as, AUTHV_CLASS, class) < 0 || @@ -880,12 +882,14 @@ pass(passwd) askpasswd = 0; if (!guest) { /* "ftp" is only account allowed no password */ authok = 0; - if (pw == NULL) { + if (pw == NULL || pw->pw_passwd[0] == '\0') { useconds_t us; /* Sleep between 1 and 3 seconds to emulate a crypt. */ us = arc4random() % 3000000; usleep(us); + if (as != NULL) + auth_close(as); } else { authok = auth_userresponse(as, passwd, 0); as = NULL; |