HARUYAMA Seigo
2000-Jul-02 08:28 UTC
A error in auth.c of openssh-2.1.1p2 port on systems with a mixture of shadowed and non-shadowed passwords and Japanese Translations.
Hi. I have found a error of openssh-2.1.1p2 port on systems with a mixture of shadowed and non-shadowed passwords. I reported a same type of error to Mr. Miller when openssh-1.2.1pre23 was released. On our systems, our local machines have shadowed /etc/passwd (and /etc/shadow) and our NIS server distributes non-shadowed password of general users. We have to use getspnam(3) for shadowed local users' ( for example, "root") entries and getpwnam(3) for non-shadowed users' entries. Otherwise, the function "allowed_user" in auth.c of openssh-2.1.1p2 has the following lines: 59 #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) && \ 60 defined(HAS_SHADOW_EXPIRE) 61 struct spwd *spw; 62 63 /* Shouldn't be called if pw is NULL, but better safe than sorry */ 64 if (!pw) 65 return 0; 66 67 spw = getspnam(pw->pw_name); 68 if (spw == NULL) 69 return 0; . So, getspnam will returns NULL for our general users and allowed_user returns 0. As a result, our general users cannot login. I fixed this problem. diff openssh-2.1.1p2.bak/auth.c openssh-2.1.1p2/auth.c 68,69c68 < if (spw == NULL) < return 0; ---> if (spw){78a78> }------- I translated README and UPGRADING documents of openssh port into Japanese. Now I have translated INSTALL and README.openssh2. These documents are open to the public at http://www.unixuser.org/%7Eharuyama/security/openssh/index.html . Now, all translated documents update when new version of openssh port releases. Regards, HARUYAMA Seigo haruyama at unixuser.org
Damien Miller
2000-Jul-02 08:43 UTC
A error in auth.c of openssh-2.1.1p2 port on systems with a mixture of shadowed and non-shadowed passwords and Japanese Translations.
On Sun, 2 Jul 2000, HARUYAMA Seigo wrote:> > Hi. > > I have found a error of openssh-2.1.1p2 port on systems with a > mixture of shadowed and non-shadowed passwords.Thanks for the report - this slipped in with the new expiry checking code. Here is the fix that was applied: Index: auth.c ==================================================================RCS file: /var/cvs/openssh/auth.c,v retrieving revision 1.9 diff -u -r1.9 auth.c --- auth.c 2000/06/26 01:31:33 1.9 +++ auth.c 2000/07/02 08:42:19 @@ -65,17 +65,18 @@ return 0; spw = getspnam(pw->pw_name); - if (spw == NULL) - return 0; - - /* Check account expiry */ - if ((spw->sp_expire > 0) && ((time(NULL) / 86400) > spw->sp_expire)) - return 0; + if (spw != NULL) { + int days = time(NULL) / 86400; - /* Check password expiry */ - if ((spw->sp_lstchg > 0) && (spw->sp_inact > 0) && - ((time(NULL) / 86400) > (spw->sp_lstchg + spw->sp_inact))) - return 0; + /* Check account expiry */ + if ((spw->sp_expire > 0) && (days > spw->sp_expire)) + return 0; + + /* Check password expiry */ + if ((spw->sp_lstchg > 0) && (spw->sp_inact > 0) && + (days > (spw->sp_lstchg + spw->sp_inact))) + return 0; + } #else /* Shouldn't be called if pw is NULL, but better safe than sorry... */ if (!pw) --d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)