Bug 899

Summary:

sshd displays illegal usernames through setproctitle()

Product:

Portable OpenSSH

Reporter:

Pavel Kankovsky <peak>

Component:

sshd

Assignee:

OpenSSH Bugzilla mailing list <openssh-bugs>

Status:

CLOSED FIXED

Severity:

normal

Priority:

Version:

3.8.1p1

Hardware:

All

OS:

Linux

Attachments:

Description	Flags
this patch fixes the bug	none

Description Pavel Kankovsky 2004-07-21 07:22:12 AEST

authctxt->pw ? user : "unknown" is pointless because illegal users get pw from
fakepw(), the code should check authctxt->valid
moreover, a check of this kind is completely missing in auth-pam.c

Comment 1 Pavel Kankovsky 2004-07-21 07:22:55 AEST

Created attachment 690 [details]
this patch fixes the bug

Comment 2 Ben Lindstrom 2004-07-21 08:21:27 AEST

I'm ok with the first two.  Makes sense to key off of ->valid since everything 
else does.

I'm leary of the change to do:

setproctitle("%s [pam]", sshpam_authctxt && sshpam_authctxt->valid ? 
pam_user : "unknown");

Mainly because I don't see the  (xx && yy ? zz : pp) abuse normally and as a 
result I'd be skiddy until someone else on the project agrees.

I'd also rather see it as:

if ( ( xx ) && ( yy ) )
 setproc[..]
else 
 setproc[..]

could be I've seen too many (xx & yy) mistakes in OpenBSD audits.

Comment 3 Damien Miller 2004-07-21 20:55:30 AEST

Fix applied - thanks.