[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PAM access policy may be circumvented
From: |
Marc Singer |
Subject: |
Re: PAM access policy may be circumvented |
Date: |
Sat, 11 Oct 2003 10:35:32 -0700 |
User-agent: |
Mutt/1.5.4i |
On Sat, Oct 11, 2003 at 06:48:47PM +0200, Brian Murphy wrote:
>
> This is *not* the PAM support in cvs that you refer to. The PAM patch
> in cvs chooses either PAM or traditional /etc/passwd support but not
> both.
See for yourself. Here's the source from server.c.
#line 5869 server.c
#ifdef HAVE_PAM
if (system_auth)
host_user = check_pam_password (username, descrambled_password,
repository);
#endif /* HAVE_PAM */
if(NULL == host_user)
host_user = check_password (username, descrambled_password, repository);
if (host_user == NULL)
When the check_pam_password () call fails, CVS will then call
check_password (). check_password () is the non-PAM call to verify a
user's identity. Thus, when PAM fails, CVS does a fall-back to the
non-PAM authentication. My change was simply to #ifndef HAVE_PAM on
the check_password () call.
Cheers.