> For example, you can do something like this:
>
> ssh -l gate@gateway.mydomain.com
> Password: username password (Not visible!)
>
> This is useful in gateways to authenticate users without giving
> each user his/her own account (for security).
Why should this feature be partially implemented in a PAM module,
when it needs support elsewhere, anyway? I don't think this hack
is worth it.
> + user_env = alloca(22 + key_only_len);
> + strcpy(user_env, "PAM_USER_IN_PASSWORD=");
> + strncat(user_env + 21, user, key_only_len);
> + pam_putenv(pamh, user_env);
No NUL termination here.
> + } else if (ctrl & PAM_CRYPT) {
> + char salt[3] = "xx";
> + strncpy(salt, data.dptr, 2);
> + compare = strncmp(crypt(pass,salt), data.dptr, data.dsize);
This is overly complicated and will only work for the obsolete
traditional crypt(3). You don't need this truncation to 2 chars.
Signed,
Solar Designer
