Re: PAM access policy may be circumvented

bug-cvs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PAM access policy may be circumvented

From:	Marc Singer
Subject:	Re: PAM access policy may be circumvented
Date:	Sat, 11 Oct 2003 10:35:32 -0700
User-agent:	Mutt/1.5.4i

On Sat, Oct 11, 2003 at 06:48:47PM +0200, Brian Murphy wrote:
> 
> This is *not* the PAM support in cvs that you refer to. The PAM patch
> in cvs chooses either PAM or traditional /etc/passwd support but not
> both.

See for yourself.  Here's the source from server.c.

#line 5869 server.c
#ifdef HAVE_PAM
    if (system_auth)
        host_user = check_pam_password (username, descrambled_password, 
repository);
#endif /* HAVE_PAM */

    if(NULL == host_user)
        host_user = check_password (username, descrambled_password, repository);

    if (host_user == NULL)

When the check_pam_password () call fails, CVS will then call
check_password ().  check_password () is the non-PAM call to verify a
user's identity.  Thus, when PAM fails, CVS does a fall-back to the
non-PAM authentication.  My change was simply to #ifndef HAVE_PAM on
the check_password () call.

Cheers.

[Prev in Thread]

Current Thread

[Next in Thread]

PAM access policy may be circumvented, Marc Singer, 2003/10/10
- PAM access policy may be circumvented, Brian Murphy, 2003/10/11
  - Re: PAM access policy may be circumvented, Marc Singer <=
    - Re: PAM access policy may be circumvented, Brian Murphy, 2003/10/12
    - Re: PAM access policy may be circumvented, Steve McIntyre, 2003/10/12

Prev by Date: PAM access policy may be circumvented
Next by Date: -oh ma.n /I a.m fina^lly :out .of 'that mes,s nfta=vkl
Previous by thread: PAM access policy may be circumvented
Next by thread: Re: PAM access policy may be circumvented
Index(es):
- Date
- Thread