openssh bugs - Jul 2004 - [Bug 899] sshd displays illegal usernames through setproctitle()

http://bugzilla.mindrot.org/show_bug.cgi?id=899

           Summary: sshd displays illegal usernames through setproctitle()
           Product: Portable OpenSSH
           Version: 3.8.1p1
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: openssh-bugs at mindrot.org
        ReportedBy: peak at argo.troja.mff.cuni.cz


authctxt->pw ? user : "unknown" is pointless because illegal users
get pw from
fakepw(), the code should check authctxt->valid
moreover, a check of this kind is completely missing in auth-pam.c



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=899





------- Additional Comments From peak at argo.troja.mff.cuni.cz  2004-07-21
07:22 -------
Created an attachment (id=690)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=690&action=view)
this patch fixes the bug




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=899





------- Additional Comments From mouring at eviladmin.org  2004-07-21 08:21
-------
I'm ok with the first two.  Makes sense to key off of ->valid since
everything
else does.

I'm leary of the change to do:

setproctitle("%s [pam]", sshpam_authctxt &&
sshpam_authctxt->valid ?
pam_user : "unknown");

Mainly because I don't see the  (xx && yy ? zz : pp) abuse normally
and as a
result I'd be skiddy until someone else on the project agrees.

I'd also rather see it as:

if ( ( xx ) && ( yy ) )
 setproc[..]
else 
 setproc[..]

could be I've seen too many (xx & yy) mistakes in OpenBSD audits.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=899

djm at mindrot.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED



------- Additional Comments From djm at mindrot.org  2004-07-21 20:55 -------
Fix applied - thanks.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.