[9483] in bugtraq
Re: SSH 1.x and 2.x Daemon
daemon@ATHENA.MIT.EDU (Brandon S. Allbery)
Thu Feb 11 18:31:44 1999
Date: Tue, 9 Feb 1999 13:32:39 -0500
Reply-To: "Brandon S. Allbery" <allbery@ECE.CMU.EDU>
From: "Brandon S. Allbery" <allbery@ECE.CMU.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Mon, 08 Feb 1999 12:08:28 EST."
<199902081708.MAA09126@black-ops.uwindsor.ca>
In message <199902081708.MAA09126@black-ops.uwindsor.ca>, Tibor Toronyi writes:
+-----
| As a side note (after checking into this problem), I noticed that the
| server code ONLY checks for "*LK*" in the password field to see if the
| person is disabled. Not sure of other places but we've had to modify the
| code a bit so that instead of
|
| if ((strncmp(passwd,"*LK*", 4) == 0)
|
| I'd recommend
|
| if ((strchr (passwd, '*') != (char *) NULL)
+--->8
I would suggest that a better check would be:
if (strlen(passwd) < 11)
since various systems I've seen use "*", "x", "!", "!!", "*LK*", "afs"
(with the normal password lookup preempted by AFS or Kerberos routines in
system programs), etc.
(This assumes you don't want to permit null passwords. The necessary change
should be reasonably obvious.)
!= 13 would be even safer, but this would fail on BSD with MD5 passwords or
sites using various extended-length password schemes.
--
brandon s. allbery [os/2][linux][solaris][japh] allbery@kf8nh.apk.net
system administrator [WAY too many hats] allbery@ece.cmu.edu
electrical and computer engineering KF8NH
carnegie mellon university ["God, root, what is difference?" -Pitr]
