In message <199902081708.MAA09126@black-ops.uwindsor.ca>, Tibor Toronyi writes: +----- | As a side note (after checking into this problem), I noticed that the | server code ONLY checks for "*LK*" in the password field to see if the | person is disabled. Not sure of other places but we've had to modify the | code a bit so that instead of | | if ((strncmp(passwd,"*LK*", 4) == 0) | | I'd recommend | | if ((strchr (passwd, '*') != (char *) NULL) +--->8 I would suggest that a better check would be: if (strlen(passwd) < 11) since various systems I've seen use "*", "x", "!", "!!", "*LK*", "afs" (with the normal password lookup preempted by AFS or Kerberos routines in system programs), etc. (This assumes you don't want to permit null passwords. The necessary change should be reasonably obvious.) != 13 would be even safer, but this would fail on BSD with MD5 passwords or sites using various extended-length password schemes. -- brandon s. allbery [os/2][linux][solaris][japh] allberyat_private system administrator [WAY too many hats] allberyat_private electrical and computer engineering KF8NH carnegie mellon university ["God, root, what is difference?" -Pitr]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:33:47 PDT