summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTodd C. Miller <millert@cvs.openbsd.org>1997-11-04 19:01:06 +0000
committerTodd C. Miller <millert@cvs.openbsd.org>1997-11-04 19:01:06 +0000
commit6b57d10d1974c94e115608d07f1c152a2447e274 (patch)
tree5b901731ba30f4b6feaaa63ba5aea574e51a73ad
parent176632a21bbf83faad76cc78e6f2388e9cda8b77 (diff)
Do pwcheck() even if the user does not exist. This means that if
there is an alternate authentication scheme it will get run even when the username does not exist, preventing an info gathering attack. Short story: for user "imbogus" and pass "s/key" you will get a faked up s/key prompt.
-rw-r--r--usr.bin/login/login.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/usr.bin/login/login.c b/usr.bin/login/login.c
index 33007b82e6a..289c0db2e0e 100644
--- a/usr.bin/login/login.c
+++ b/usr.bin/login/login.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: login.c,v 1.22 1997/06/20 04:55:00 deraadt Exp $ */
+/* $OpenBSD: login.c,v 1.23 1997/11/04 19:01:05 millert Exp $ */
/* $NetBSD: login.c,v 1.13 1996/05/15 23:50:16 jtc Exp $ */
/*-
@@ -44,7 +44,7 @@ static char copyright[] =
#if 0
static char sccsid[] = "@(#)login.c 8.4 (Berkeley) 4/2/94";
#endif
-static char rcsid[] = "$OpenBSD: login.c,v 1.22 1997/06/20 04:55:00 deraadt Exp $";
+static char rcsid[] = "$OpenBSD: login.c,v 1.23 1997/11/04 19:01:05 millert Exp $";
#endif /* not lint */
/*
@@ -312,6 +312,8 @@ main(argc, argv)
#else
rval = pwcheck(username, p, salt, pwd->pw_passwd);
#endif
+ } else {
+ rval = pwcheck(username, p, salt, "*");
}
memset(p, 0, strlen(p));