Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0

From: ant () notatla demon co uk (Antonomasia)
Date: Mon, 23 Jul 2001 19:49:24 +0100 (BST)
From: Nate Eldredge <neldredge () hmc edu>


What's wrong with just using `strcmp' (i.e. no constraint at all)?  After
all, what you want to know is just whether the two strings are identical,
period.  And unless crypt() and /etc/shadow are both broken, it will stop 
at the right place.  I realize it goes against the reflexive "only strn*
functions are safe" idea, but that shouldn't substitute for thinking...


strcmp() with one argument as a crypt() output would be OK provided any
password aging information had first been removed from the field in the
comparison.

Code to detect accounts without passwords ought to check this too as
"::" is not the only value that is open to all.  "Essential System
Administration" 2nd Edition by Frisch falls down here on p344.

--
##############################################################
# Antonomasia   ant notatla.demon.co.uk                      #
# See http://www.notatla.demon.co.uk/                        #
##############################################################
Previous By Date Next
Previous By Thread Next

Current thread: