To: xbugs@x.org
Subject: xdm: does not support accounts with no password

     VERSION:

R6, public-patch-11

     CLIENT MACHINE and OPERATING SYSTEM:

SPARC / SunOS 4.1.3_U1

     DISPLAY TYPE:

Sun bwtwo

     WINDOW MANAGER:

twm (any)

     COMPILER:

gcc

     AREA:

xc/programs/xdm

     SYNOPSIS:

It is not possible to login to an account that has no password.

     DESCRIPTION:

If an account has no password (the encrypted password is "")
then the typical UNIX login will not prompt for a password.
It is not possible to login to such an account using xdm.

     REPEAT BY:

Creat an account with no password.  The /etc/passwd entry may be:
	guest::101:20:Guest account:/home/guest:/bin/csh
Note that the encrypted password is a null string.  Verify that
telnet to this account does not prompt for a password.
Finally, try to login as guest using xdm.  You can't.

     SAMPLE FIX:

cd xc/programs/xdm
diff -c verify.c.orig verify.c
*** verify.c.orig	Sun Apr 17 13:03:55 1994
--- verify.c	Fri Jul 21 14:58:32 1995
***************
*** 1,4 ****
--- 1,6 ----
  /* $XConsortium: verify.c,v 1.32 94/04/17 20:03:55 gildea Exp $ */
+ /* Support null encrypted password (no password) */
+ /* 95/07/21  Gordon Ross <gwr@mc.com> */
  /*
  
  Copyright (c) 1988  X Consortium
***************
*** 159,164 ****
--- 161,167 ----
  #endif
  	char		*shell, *home;
  	char		**argv;
+ 	char		*crpw;	/* encrypted password */
  
  	Debug ("Verify %s ...\n", greet->name);
  	p = getpwnam (greet->name);
***************
*** 175,185 ****
  		return 0;
  	}
  	endspent();
! 
! 	if (strcmp (crypt (greet->password, sp->sp_pwdp), sp->sp_pwdp))
  #else
! 	if (strcmp (crypt (greet->password, p->pw_passwd), p->pw_passwd))
  #endif
  	{
  		Debug ("password verify failed\n");
  		bzero(greet->password, strlen(greet->password));
--- 178,193 ----
  		return 0;
  	}
  	endspent();
! 	crpw = sp->sp_pwdp;
  #else
! 	crpw = p->pw_passwd;
  #endif
+ 
+ 	/*
+ 	 * Null string as the encrypted password means the user
+ 	 * should not even be prompted for a password.
+ 	 */
+ 	if (crpw[0] && strcmp (crypt (greet->password, crpw), crpw))
  	{
  		Debug ("password verify failed\n");
  		bzero(greet->password, strlen(greet->password));
