openssh unix dev - Jul 2003 - OpenSSH 3.6.1p2 +UnixWare 7.1.1 +SSH2 + PasswordAuthentication no + PermitEmptyPasswords yes (followup)

Greetings,

Problem : Openssh3.6.1p2 on UnixWare 7.1.1 allows access to passwordless
account without a valid key when sshd_config has PasswordAuthentication no 
+ PermitEmptyPasswords yes

Attempts:
Installed maintence pack3 and recompiled both OpenSSH and OpenSSL (0.9.7b)
with native c compiler.

Recompiled both OpenSSH and OpenSSL (0.9.7b) with gcc (2.95.2).

Still the same problem.

Looking at auth2.c line 185-190:
 authenticated = m->userauth(authctxt);
 sets authenticate to 1 when PermitEmptyPasswords ==> yes

I found only one reference to userauth()
in sshconnect2.c (line 279)

I do not understand the code m->userauth(authctxt);

Please assist.

Vikash

Would be nice for a complete sshd -d -d -d output.  I've tracked back
through the code and I don't see how a single platform could have a
problem with it unless the problem is in auth_password(). Which is an
utter mess and nearly untrackable.

- Ben

On Thu, 10 Jul 2003, Vikash Badal - PCS wrote:
> Greetings,
>
> Problem : Openssh3.6.1p2 on UnixWare 7.1.1 allows access to passwordless
> account without a valid key when sshd_config has PasswordAuthentication no
> + PermitEmptyPasswords yes
>
> Attempts:
> Installed maintence pack3 and recompiled both OpenSSH and OpenSSL (0.9.7b)
> with native c compiler.
>
> Recompiled both OpenSSH and OpenSSL (0.9.7b) with gcc (2.95.2).
>
> Still the same problem.
>
> Looking at auth2.c line 185-190:
>  authenticated = m->userauth(authctxt);
>  sets authenticate to 1 when PermitEmptyPasswords ==> yes
>
> I found only one reference to userauth()
> in sshconnect2.c (line 279)
>
> I do not understand the code m->userauth(authctxt);
>
> Please assist.
>
> Vikash
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>