pam_unix: avoid determining if user exists

Taking a look at the time for the password prompt to appear it was possible to determine if a user existed in a system. Solved it by matching the runtime until the password prompt was shown by always checking the password hash for an existing and a non-existing user. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1629598
author: ikerexxe <ipedrosa@redhat.com> 2020-06-16 14:32:36 +0200
committer: Tomáš Mráz <7125407+t8m@users.noreply.github.com> 2020-06-17 14:36:09 +0200
commit: af0faf666c5008e54dfe43684f210e3581ff1bca (patch)
tree: f351d46b894fa86cb1d8bc204a688da94666dcbe /modules/pam_unix/passverify.c
parent: 395915dae1571e10e2766c999974de864655ea3a (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
index a571b4f7..7455eae6 100644
--- a/modules/pam_unix/passverify.c
+++ b/modules/pam_unix/passverify.c
@@ -1096,6 +1096,12 @@ helper_verify_password(const char *name, const char *p, int nullok)
 	if (pwd == NULL || hash == NULL) {
 		helper_log_err(LOG_NOTICE, "check pass; user unknown");
 		retval = PAM_USER_UNKNOWN;
+	} else if (p[0] == '\0' && nullok) {
+		if (hash[0] == '\0') {
+			retval = PAM_SUCCESS;
+		} else {
+			retval = PAM_AUTH_ERR;
+		}
 	} else {
 		retval = verify_pwd_hash(p, hash, nullok);
 	}
author	ikerexxe <ipedrosa@redhat.com>	2020-06-16 14:32:36 +0200
committer	Tomáš Mráz <7125407+t8m@users.noreply.github.com>	2020-06-17 14:36:09 +0200
commit	af0faf666c5008e54dfe43684f210e3581ff1bca (patch)
tree	f351d46b894fa86cb1d8bc204a688da94666dcbe /modules/pam_unix/passverify.c
parent	395915dae1571e10e2766c999974de864655ea3a (diff)