Page MenuHomeFreeBSD
Files F145700041

D42730.id.diff
No OneTemporary
Actions

D42730.id.diff
View Options

diff --git a/lib/libpam/libpam/security/pam_mod_misc.h b/lib/libpam/libpam/security/pam_mod_misc.h
--- a/lib/libpam/libpam/security/pam_mod_misc.h
+++ b/lib/libpam/libpam/security/pam_mod_misc.h
@@ -35,7 +35,6 @@
* Common option names
*/
#define PAM_OPT_NULLOK "nullok"
-#define PAM_OPT_EMPTYOK "emptyok"
#define PAM_OPT_AUTH_AS_SELF "auth_as_self"
#define PAM_OPT_ECHO_PASS "echo_pass"
#define PAM_OPT_DEBUG "debug"
diff --git a/lib/libpam/modules/pam_unix/pam_unix.8 b/lib/libpam/modules/pam_unix/pam_unix.8
--- a/lib/libpam/modules/pam_unix/pam_unix.8
+++ b/lib/libpam/modules/pam_unix/pam_unix.8
@@ -32,7 +32,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.Dd April 3, 2020
+.Dd November 24, 2023
.Dt PAM_UNIX 8
.Os
.Sh NAME
@@ -101,29 +101,11 @@
sufficient.
.It Cm nullok
If the password database has no password for the entity being
-authenticated, then this option will forgo password prompting, and
-silently allow authentication to succeed.
-.Pp
-.Sy NOTE:
-If
-.Nm
-is invoked by a process that does not have the privileges required to
-access the password database (in most cases, this means root
-privileges), the
-.Cm nullok
-option may cause
-.Nm
-to allow any user to log in with any password.
-.It Cm emptyok
-If the password database contains the password for the entity being
-authenticated, but the password matches an empty string,
-then this option will forgo password prompting, and
-silently allow authentication to succeed.
-.Pp
-The difference between this and
-.Cm nullok
-is that it avoids prompting for password when the password is set
-to an empty string, as opposed to not being set.
+authenticated, or a password matching the empty string, then this
+option will forgo password prompting, and silently allow authentication
+to succeed.
+Without this option, any attempt to authenticate with an empty password
+is rejected.
.It Cm local_pass
Use only the local password database, even if NIS is in use.
This will cause an authentication failure if the system is configured
@@ -182,6 +164,8 @@
suppress warning messages to the user.
These messages include reasons why the user's authentication attempt
was declined.
+.It Cm nullok
+allows unprivileged users to set an empty new password.
.It Cm local_pass
forces the password module to change a local password in favour of a
NIS one.
diff --git a/lib/libpam/modules/pam_unix/pam_unix.c b/lib/libpam/modules/pam_unix/pam_unix.c
--- a/lib/libpam/modules/pam_unix/pam_unix.c
+++ b/lib/libpam/modules/pam_unix/pam_unix.c
@@ -108,22 +108,19 @@
if (pwd != NULL) {
PAM_LOG("Doing real authentication");
realpw = pwd->pw_passwd;
- if (realpw[0] == '\0') {
+ /*
+ * An empty password can be stored as an empty saved password
+ * hash or as a hash generated from an empty password, make
+ * sure to check both cases here.
+ */
+ if (realpw[0] == '\0' ||
+ strcmp(crypt(emptypasswd, realpw), realpw) == 0) {
if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) &&
openpam_get_option(pamh, PAM_OPT_NULLOK))
return (PAM_SUCCESS);
PAM_LOG("Password is empty, using fake password");
realpw = "*";
}
- /*
- * Check whether the saved password hash matches the one
- * generated from an empty password - as opposed to empty
- * saved password hash, which is handled above.
- */
- if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) &&
- openpam_get_option(pamh, PAM_OPT_EMPTYOK) &&
- strcmp(crypt(emptypasswd, realpw), realpw) == 0)
- return (PAM_SUCCESS);
lc = login_getpwclass(pwd);
} else {
PAM_LOG("Doing dummy authentication");

File Metadata

Mime Type
text/plain
Expires
Tue, Feb 24, 7:57 AM (15 h, 9 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
28970773
Default Alt Text
D42730.id.diff (3 KB)

Event Timeline