openssh unix dev - Feb 2002 - [Bug 114] Invalid users vs. PAM (protocol 1 only (?))

http://bugzilla.mindrot.org/show_bug.cgi?id=114





------- Additional Comments From djm at mindrot.org  2002-02-13 23:00 -------
Created an attachment (id=24)
Fake username for invalid ssh protocol 1 users




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=114





------- Additional Comments From djm at mindrot.org  2002-02-13 23:00 -------
Does the attached patch help?



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=114

djm at mindrot.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED



------- Additional Comments From djm at mindrot.org  2002-02-14 20:39 -------
It works for me - committing.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=114

abartlet at samba.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|FIXED                       |



------- Additional Comments From abartlet at samba.org  2002-02-15 00:06 -------
Why NOUSER?

What is wrong with the user they specified?  Why can't we do the full auth
for
the user - let PAM do its thing and then bail?

This would allow users who use pam_unix's 'audit' flag (for example)
to get
accurate and consistant failed password logs across all deamons on a system.

Then, if for some reason PAM still thinks they are perfectly valid (despite no
/etc/passwd entry) *then* we kill it off.  

How does this sound?

I'll propose a patch if required.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=114

djm at mindrot.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|REOPENED                    |RESOLVED
         Resolution|                            |FIXED



------- Additional Comments From djm at mindrot.org  2002-02-15 00:26 -------
NOUSER hides disclosure of passwords from users who accidentally type their
password into a login prompt.

please open another buf if you want to change the functionality.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=114





------- Additional Comments From peak at argo.troja.mff.cuni.cz  2002-02-15
01:21 -------
Well, when a user types his/her password as a login name, it will probably
appear in the log anyway (in a message generated by sshd itself:
Feb 14 15:07:14 kunhuta sshd[17775]: Failed password for illegal user blabla
from 127.0.0.1 port 2995).
Nevertheless, the patch appears to solve the problem I reported.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.