Bugtraq mailing list archives
Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0
From: ant () notatla demon co uk (Antonomasia)
Date: Mon, 23 Jul 2001 19:49:24 +0100 (BST)
From: Nate Eldredge <neldredge () hmc edu>
What's wrong with just using `strcmp' (i.e. no constraint at all)? After all, what you want to know is just whether the two strings are identical, period. And unless crypt() and /etc/shadow are both broken, it will stop at the right place. I realize it goes against the reflexive "only strn* functions are safe" idea, but that shouldn't substitute for thinking...
strcmp() with one argument as a crypt() output would be OK provided any password aging information had first been removed from the field in the comparison. Code to detect accounts without passwords ought to check this too as "::" is not the only value that is open to all. "Essential System Administration" 2nd Edition by Frisch falls down here on p344. -- ############################################################## # Antonomasia ant notatla.demon.co.uk # # See http://www.notatla.demon.co.uk/ # ##############################################################
Current thread:
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0, (continued)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Marcin Zurakowski (Jul 23)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Brian Carpio (Jul 23)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Stephanie Thomas (Jul 23)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Brian Carpio (Jul 23)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Jaime BENJUMEA (Jul 23)
- RE: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Jonathan A. Zdziarski (Jul 23)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Roman Drahtmueller (Jul 23)
- RE: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Stephanie Thomas (Jul 23)
- RE: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Emre Yildirim (Jul 24)
- RE: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Stephanie Thomas (Jul 25)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Eugene Medynskiy (Jul 25)
- RE: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Stephanie Thomas (Jul 23)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Marcin Zurakowski (Jul 23)
- RE: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Stephanie Thomas (Jul 26)