Menu

#10 It is possible to login with any password if query's password is null.

0.5.2-1
closed
patch (1)
5
2014-10-02
2013-01-15
No

If the "pw_type" is crypt-based and the password field returned by the query is null, user is able to authenticate with any password. It is true that crypt("anything", ""); is always "", so if the crypted password is an empty string, this is (arguably) the correct behavior, but since it sounds very bad, pam_unix needs explicitly the nullok flag.

But the issue here is even worse: when crypt is used, pam_pgsql authenticates with any password both when the field is an empty string (arguably reasonable) and when it is null. This latter seems very bad, because no output from crypt represents a null password (although this concept is absent in original Unix).

In my opinion, a null password should be treated the same as no result, and should always fail.

A workaround is to use a query that never returns null, like:
SELECT COALESCE(password, '§§INVALID') FROM auth_table;

Discussion

  • Jan Dittberner

    Jan Dittberner - 2014-09-27
    • labels: --> patch
     
  • Jan Dittberner

    Jan Dittberner - 2014-09-27

    Ticket moved from /p/pam-pgsql/bugs/13/

     
  • William Grzybowski

    • status: open --> closed
    • assigned_to: William Grzybowski
    • Group: 0.7 --> 0.5.2-1
     

Log in to post a comment.