search for: sp_pwdp

...r bug #442. The cvs comment says "Fix Bug #442 for PAM case". The code is now roughly: #if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \ !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) spw = getspnam(pw->pw_name); passwd = spw->sp_pwdp; #else passwd = pw->pw_passwd; #endif [test for locked passwd entry] If the platform is using PAM, /etc/passwd is checked regardless of whether or not it actually has /etc/shadow. If the platform has /etc/shadow but doesn't have shadow expiry then the /etc/passwd entry will be c...

...openssh/auth.c.old 2005-06-17 08:29:12.595619001 -0700 +++ openssh/auth.c 2005-08-25 21:15:06.270527016 -0700 @@ -97,7 +97,11 @@ /* grab passwd field for locked account check */ #ifdef USE_SHADOW if (spw != NULL) +#ifdef HAVE_LIBIAF + passwd = get_iaf_password(pw); +#else passwd = spw->sp_pwdp; +#endif /* HAVE_LIBIAF */ #else passwd = pw->pw_passwd; #endif --- openssh/configure.ac.old 2005-08-23 17:11:26.000000000 -0700 +++ openssh/configure.ac 2005-08-24 16:51:30.297680013 -0700 @@ -446,6 +446,8 @@ ;; # UnixWare 7.x, OpenUNIX 8 *-*-sysv5*) + check_for_libcrypt_later=1 + AC_DE...

.../src/security/openssh/cvs/openssh_cvs/openbsd-compat/xcrypt.c,v retrieving revision 1.4 diff -u -p -r1.4 xcrypt.c --- openbsd-compat/xcrypt.c 6 Sep 2003 23:43:42 -0000 1.4 +++ openbsd-compat/xcrypt.c 8 Sep 2003 06:52:26 -0000 @@ -96,18 +96,25 @@ shadow_pw(struct passwd *pw) pw_password = spw->sp_pwdp; # endif # if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) - struct passwd_adjunct *spw; - if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL) - pw_password = spw->pwa_passwd; + if (issecure()) { + struct passwd_adjunct *spw; + + if (spw = getpwanam(pw->pw...

...ed(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */ @@ -46,6 +51,9 @@ #ifdef HAVE_SHADOW_H struct spwd *spw; #endif +#ifdef HAVE_GETPWANAM + struct passwd_adjunct *spw; +#endif #ifdef WITH_AIXAUTHENTICATE char *authmsg; char *loginmsg; @@ -99,6 +107,16 @@ pw_password = spw->sp_pwdp; } #endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */ +#if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) + if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL) + { + /* Check for users with no password. */ + if (strcmp(password, "")...

I encountered a couple of strange events with respect to password authentication this morning. Two of our staff were unable to login onto several systems using their usual passwords. Both users had last logged in on these hosts using their accounts and passwords on Friday past. The two accounts could not log on to any of the servers for which they had access and the message log on each showed

maybe this is a silly question ;-) But why is it possible to login on a machine with a locked account (passwd -l ) via pubkey-authentication (authorized_keys) ? I use OpenSSH3.01p1on Solaris8 with PAM support so I thought this should not happen. If this is the normal behaviour and built in intentionally what would be the easiest way to lock an account without deleting the users authorized_keys ?