Bug 899 - sshd displays illegal usernames through setproctitle()
Summary: sshd displays illegal usernames through setproctitle()
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sshd (show other bugs)
Version: 3.8.1p1
Hardware: All Linux
: P2 normal
Assignee: OpenSSH Bugzilla mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-07-21 07:22 AEST by Pavel Kankovsky
Modified: 2004-09-11 13:18 AEST (History)
0 users

See Also:

Attachments
this patch fixes the bug (1.34 KB, patch)
2004-07-21 07:22 AEST, Pavel Kankovsky 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Pavel Kankovsky 2004-07-21 07:22:12 AEST 
authctxt->pw ? user : "unknown" is pointless because illegal users get pw from
fakepw(), the code should check authctxt->valid
moreover, a check of this kind is completely missing in auth-pam.c
Comment 1 Pavel Kankovsky 2004-07-21 07:22:55 AEST 
Created attachment 690 [details]
this patch fixes the bug
Comment 2 Ben Lindstrom 2004-07-21 08:21:27 AEST 
I'm ok with the first two.  Makes sense to key off of ->valid since everything 
else does.

I'm leary of the change to do:

setproctitle("%s [pam]", sshpam_authctxt && sshpam_authctxt->valid ? 
pam_user : "unknown");

Mainly because I don't see the  (xx && yy ? zz : pp) abuse normally and as a 
result I'd be skiddy until someone else on the project agrees.

I'd also rather see it as:

if ( ( xx ) && ( yy ) )
 setproc[..]
else 
 setproc[..]

could be I've seen too many (xx & yy) mistakes in OpenBSD audits.
Comment 3 Damien Miller 2004-07-21 20:55:30 AEST 
Fix applied - thanks.