|
cvsdist |
ffdec57 |
Skip the initial empty-password check if permit_empty_passwd is disabled. This
|
|
cvsdist |
ffdec57 |
doesn't change the timing profiles of the host because the additional condition
|
|
cvsdist |
ffdec57 |
check which can short-circuit the call to pam_authenticate() has no dependency
|
|
cvsdist |
ffdec57 |
on the identity of the user who is being authenticated.
|
|
 |
09510ad |
diff -up openssh-5.1p1/auth1.c.skip-initial openssh-5.1p1/auth1.c
|
|
|
09510ad |
--- openssh-5.1p1/auth1.c.skip-initial 2008-07-09 12:54:05.000000000 +0200
|
|
|
09510ad |
+++ openssh-5.1p1/auth1.c 2008-07-23 18:26:01.000000000 +0200
|
|
|
09510ad |
@@ -244,7 +244,7 @@ do_authloop(Authctxt *authctxt)
|
|
|
09510ad |
authctxt->valid ? "" : "invalid user ", authctxt->user);
|
|
cvsdist |
ffdec57 |
|
|
cvsdist |
ffdec57 |
/* If the user has no password, accept authentication immediately. */
|
|
cvsdist |
ffdec57 |
- if (options.password_authentication &&
|
|
cvsdist |
ffdec57 |
+ if (options.permit_empty_passwd && options.password_authentication &&
|
|
cvsdist |
ffdec57 |
#ifdef KRB5
|
|
cvsdist |
ffdec57 |
(!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
|
|
cvsdist |
ffdec57 |
#endif
|
|
|
09510ad |
diff -up openssh-5.1p1/auth2-none.c.skip-initial openssh-5.1p1/auth2-none.c
|
|
|
09510ad |
--- openssh-5.1p1/auth2-none.c.skip-initial 2008-07-02 14:56:09.000000000 +0200
|
|
|
09510ad |
+++ openssh-5.1p1/auth2-none.c 2008-07-23 18:26:01.000000000 +0200
|
|
|
09510ad |
@@ -65,7 +65,7 @@ userauth_none(Authctxt *authctxt)
|
|
cvsdist |
ffdec57 |
if (check_nt_auth(1, authctxt->pw) == 0)
|
|
|
09510ad |
return (0);
|
|
cvsdist |
ffdec57 |
#endif
|
|
cvsdist |
ffdec57 |
- if (options.password_authentication)
|
|
cvsdist |
ffdec57 |
+ if (options.permit_empty_passwd && options.password_authentication)
|
|
cvsdist |
ffdec57 |
return (PRIVSEP(auth_password(authctxt, "")));
|
|
cvsdist |
ffdec57 |
return (0);
|
|
cvsdist |
ffdec57 |
}
|