On 2001-07-22 10:03:31 +0200, Florian Weimer wrote: >A quick glance at the source code suggests that SSH 2.3.0 and >2.4.0 have the same problem. Is this true? I suppose we are talking about this section of ssh 2.4.0's sshunixuser.c: 940 941 /* Authentication is accepted if the encrypted passwords are identical. */ 942 #ifdef HAVE_HPUX_TCB_AUTH 943 return strncmp(encrypted_password, correct_passwd, 944 strlen(correct_passwd)) == 0; 945 #else /* HAVE_HPUX_TCB_AUTH */ 946 return strcmp(encrypted_password, correct_passwd) == 0; 947 #endif /* HAVE_HPUX_TCB_AUTH */ If I read this correctly, it's certainly not a problem unless ssh is compiled with HAVE_HPUX_TCB_AUTH defined. In that case, it may or may not be a problem. -- Thomas Roessler http://log.does-not-exist.org/
This archive was generated by hypermail 2b30 : Mon Jul 23 2001 - 08:58:18 PDT