Second stab at Volker's 'make shadow passwords work' patch.

Basicly, the password and the salt must be taken from the same place in both
passwd and shadow based systems.  Taking salt from one, and password from the
other just doesn't work.

So pull them from passwd, then overwrite them if need be.

When modifying this file, watch the #ifdef hell - as vl found out, some
variables are globals - but only with #ifndef WITH_PAM, and the code jumps all
over the place with the password cracker.

Getting double-reviews of any change to this file highly advised, it is one of
our most system-specifc areas of code.

(So now I get to take the blame for this one... :-)

Andrew Bartlett

1 files changed, 4 insertions, 4 deletions

diff --git a/source/auth/pass_check.c b/source/auth/pass_check.c
index 63918796efb..e1783bfd1e2 100644
--- a/source/auth/pass_check.c
+++ b/source/auth/pass_check.c
@@ -634,6 +634,7 @@ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *pas
 	/* Also the place to keep the 'password' no matter what
 	   crazy struct it started in... */
 	fstrcpy(this_crypted, pass->pw_passwd);
+	fstrcpy(this_salt, pass->pw_passwd);
 
 #ifdef HAVE_GETSPNAM
 	{
@@ -645,8 +646,10 @@ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *pas
 		   perhaps for IPC password changing requests */
 
 		spass = getspnam(pass->pw_name);
-		if (spass && spass->sp_pwdp)
+		if (spass && spass->sp_pwdp) {
 			fstrcpy(this_crypted, spass->sp_pwdp);
+			fstrcpy(this_salt, spass->sp_pwdp);
+		}
 	}
 #elif defined(IA_UINFO)
 	{
@@ -704,9 +707,6 @@ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *pas
 	}
 #endif
 
-	/* extract relevant info */
-	fstrcpy(this_salt, pass->pw_passwd);
-
 #if defined(HAVE_TRUNCATED_SALT)
 	/* crypt on some platforms (HPUX in particular)
 	   won't work with more than 2 salt characters. */