Hello,
I am using xrdp without PAM, and have been looking at the recently
modified shadow authentication code in sesman/verify_user.c.
I have noticed that sesman segfaults when attempting to authenticate a
user account which has been locked by "passwd -l username". In fact the
segfault occurs whenever the contents of the shadow password field do
not match any of the hash formats expected by GNU crypt().
The problem lies in verify_user.c, function auth_user_pass(). The
return value of crypt() will be NULL if the account happens to be locked
or if the enctrypted password is in an unexpected format. So I would
suggest that the code at the end of auth_user_pass() should go something
like this:
epass = crypt(pass, encr);
if (epass == 0)
{
/* possibly a locked account */
return 0;
}
return (strcmp(encr, epass) == 0);
}
Another point: auth_user_pass() seems to get called from a thread spun
off a listening socket, but calls getpwnam, getspnam and crypt which re
not re-entrant. Shoudln't there be a mutex or something similar
protecting this whole function? Apologies if I've missed some reason
why it can't be re-entered.
Best wishes,
Ken Milmore.
------------------------------------------------------------------------------
_______________________________________________
xrdp-devel mailing list
xrdp-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xrdp-devel
