- (stevesk) auth-pam.c: use do_pam_authenticate(PAM_DISALLOW_NULL_AUTHTOK)

   if permit_empty_passwd == 0 so null password check cannot be bypassed.
   jayaraj@amritapuri.com OpenBSD bug 2168

2 files changed, 9 insertions, 3 deletions

diff --git a/ChangeLog b/ChangeLog
index 12045a555..b2f58c36e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+20011109
+ - (stevesk) auth-pam.c: use do_pam_authenticate(PAM_DISALLOW_NULL_AUTHTOK)
+   if permit_empty_passwd == 0 so null password check cannot be bypassed.
+   jayaraj@amritapuri.com OpenBSD bug 2168
+        
 20011103
  - (tim) [ contrib/caldera/openssh.spec contrib/caldera/sshd.init] Updates 
    from Raymund Will <ray@caldera.de>
@@ -6801,4 +6806,4 @@
  - Wrote replacements for strlcpy and mkdtemp
  - Released 1.0pre1
 
-$Id: ChangeLog,v 1.1631 2001/11/03 19:09:32 tim Exp $
+$Id: ChangeLog,v 1.1632 2001/11/09 20:22:16 stevesk Exp $
diff --git a/auth-pam.c b/auth-pam.c
index 29d356674..0132e47bd 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -35,7 +35,7 @@
 
 extern char *__progname;
 
-RCSID("$Id: auth-pam.c,v 1.40 2001/10/28 17:32:38 stevesk Exp $");
+RCSID("$Id: auth-pam.c,v 1.41 2001/11/09 20:22:17 stevesk Exp $");
 
 #define NEW_AUTHTOK_MSG \
         "Warning: Your password has expired, please change it now"
@@ -217,7 +217,8 @@ int auth_pam_password(struct passwd *pw, const char *password)
         __pampasswd = password;
 
         pamstate = INITIAL_LOGIN;
-        pam_retval = do_pam_authenticate(0);
+        pam_retval = do_pam_authenticate(
+            options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0);
         if (pam_retval == PAM_SUCCESS) {
                 debug("PAM Password authentication accepted for "
                     "user \"%.100s\"", pw->pw_name);