Re: SSH 1.x and 2.x Daemon

[allbery () ECE CMU EDU (Brandon S. Allbery)]

In message <199902081708.MAA09126 () black-ops uwindsor ca>, Tibor Toronyi writes:
+-----
| As a side note (after checking into this problem), I noticed that the
| server code ONLY checks for "*LK*" in the password field to see if the
| person is disabled.  Not sure of other places but we've had to modify the
| code a bit so that instead of
|
|     if ((strncmp(passwd,"*LK*", 4) == 0)
|
| I'd recommend
|
|     if ((strchr (passwd, '*') != (char *) NULL)
+--->8

I would suggest that a better check would be:

        if (strlen(passwd) < 11)

since various systems I've seen use "*", "x", "!", "!!", "*LK*", "afs"
(with the normal password lookup preempted by AFS or Kerberos routines in
system programs), etc.

(This assumes you don't want to permit null passwords.  The necessary change
should be reasonably obvious.)

!= 13 would be even safer, but this would fail on BSD with MD5 passwords or
sites using various extended-length password schemes.

--
brandon s. allbery      [os/2][linux][solaris][japh]     allbery () kf8nh apk net
system administrator         [WAY too many hats]           allbery () ece cmu edu
electrical and computer engineering                                      KF8NH
carnegie mellon university            ["God, root, what is difference?" -Pitr]