[21796] in bugtraq
Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0
daemon@ATHENA.MIT.EDU (Antonomasia)
Mon Jul 23 18:02:52 2001
To: neldredge@hmc.edu
Cc: aefrisch@lorentzian.com, bugtraq@securityfocus.com
Message-Id: <20010723184924.A14B046A8@notatla.demon.co.uk>
Date: Mon, 23 Jul 2001 19:49:24 +0100 (BST)
From: ant@notatla.demon.co.uk (Antonomasia)
From: Nate Eldredge <neldredge@hmc.edu>
> What's wrong with just using `strcmp' (i.e. no constraint at all)? After
> all, what you want to know is just whether the two strings are identical,
> period. And unless crypt() and /etc/shadow are both broken, it will stop
> at the right place. I realize it goes against the reflexive "only strn*
> functions are safe" idea, but that shouldn't substitute for thinking...
strcmp() with one argument as a crypt() output would be OK provided any
password aging information had first been removed from the field in the
comparison.
Code to detect accounts without passwords ought to check this too as
"::" is not the only value that is open to all. "Essential System
Administration" 2nd Edition by Frisch falls down here on p344.
--
##############################################################
# Antonomasia ant notatla.demon.co.uk #
# See http://www.notatla.demon.co.uk/ #
##############################################################
