[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PAM access policy may be circumvented

From: Marc Singer
Subject: Re: PAM access policy may be circumvented
Date: Sat, 11 Oct 2003 10:35:32 -0700
User-agent: Mutt/1.5.4i

On Sat, Oct 11, 2003 at 06:48:47PM +0200, Brian Murphy wrote:
> This is *not* the PAM support in cvs that you refer to. The PAM patch
> in cvs chooses either PAM or traditional /etc/passwd support but not
> both.

See for yourself.  Here's the source from server.c.

#line 5869 server.c
#ifdef HAVE_PAM
    if (system_auth)
        host_user = check_pam_password (username, descrambled_password, 
#endif /* HAVE_PAM */

    if(NULL == host_user)
        host_user = check_password (username, descrambled_password, repository);

    if (host_user == NULL)

When the check_pam_password () call fails, CVS will then call
check_password ().  check_password () is the non-PAM call to verify a
user's identity.  Thus, when PAM fails, CVS does a fall-back to the
non-PAM authentication.  My change was simply to #ifndef HAVE_PAM on
the check_password () call.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]