From 6c05160936b9ae094bdc1182060217c281552238 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 23 Feb 2022 11:17:10 +0000 Subject: [PATCH] randomise the password used in fakepw --- usr.bin/ssh/auth.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/usr.bin/ssh/auth.c b/usr.bin/ssh/auth.c index ba9c1b72b96..883e4e6adb3 100644 --- a/usr.bin/ssh/auth.c +++ b/usr.bin/ssh/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.153 2021/07/05 00:50:25 dtucker Exp $ */ +/* $OpenBSD: auth.c,v 1.154 2022/02/23 11:17:10 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -594,18 +594,28 @@ auth_debug_reset(void) struct passwd * fakepw(void) { + static int done = 0; static struct passwd fake; + const char hashchars[] = "./ABCDEFGHIJKLMNOPQRSTUVWXYZ" + "abcdefghijklmnopqrstuvwxyz0123456789"; /* from bcrypt.c */ + char *cp; + + if (done) + return (&fake); memset(&fake, 0, sizeof(fake)); fake.pw_name = "NOUSER"; - fake.pw_passwd = - "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK"; + fake.pw_passwd = xstrdup("$2a$10$" + "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"); + for (cp = fake.pw_passwd + 7; *cp != '\0'; cp++) + *cp = hashchars[arc4random_uniform(sizeof(hashchars) - 1)]; fake.pw_gecos = "NOUSER"; fake.pw_uid = (uid_t)-1; fake.pw_gid = (gid_t)-1; fake.pw_class = ""; fake.pw_dir = "/nonexist"; fake.pw_shell = "/nonexist"; + done = 1; return (&fake); } -- 2.20.1