From cc55a88ddc9c08cc669da731e9f7aafc379680ee Mon Sep 17 00:00:00 2001
From: Samba Release Account <samba-bugs@samba.org>
Date: Tue, 4 Feb 1997 10:35:38 +0000
Subject: JHT ===> Fixed potential PAM Security hole and second chance syndrome
 	spurious warning message "Warning - no crypt available" (This used to
 be commit dc559428b85474ff4d80f37f421365a3910a8861)

---
 source3/smbd/password.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/source3/smbd/password.c b/source3/smbd/password.c
index 8c1a1026cc..3ccc1e4cfd 100644
--- a/source3/smbd/password.c
+++ b/source3/smbd/password.c
@@ -612,7 +612,16 @@ BOOL password_check(char *password)
 {
 
 #ifdef USE_PAM
+/* This falls through if the password check fails
+	- if NO_CRYPT is defined this causes an error msg
+		saying Warning - no crypt available
+	- if NO_CRYPT is NOT defined this is a potential security hole
+		as it may authenticate via the crypt call when PAM
+		settings say it should fail.
   if (pam_auth(this_user,password)) return(True);
+Hence we make a direct return to avoid a second chance!!!
+*/
+  return (pam_auth(this_user,password));
 #endif
 
 #ifdef AFS_AUTH
-- 
cgit