Security Update: Blank password bypass in LDAP

iamacarpet · Oct 10, 2017 · 2c562da · 2c562da
1 parent 43f1b74
commit 2c562da
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/auth.go b/auth.go
@@ -18,6 +18,11 @@ func AuthUserPass(conn ssh.ConnMetadata, password []byte) (*ssh.Permissions, err
     if _, ok := config.Users[conn.User()]; ! ok {
         return nil, fmt.Errorf("User Doesn't Exist in Config")
     }
+
+    if string(password) == "" {
+        // Blank password isn't handled properly by LDAP library, fail here.
+        return nil, fmt.Errorf("Blank Password Not Allowed")
+    }
 
     if config.Global.AuthType == "ad" {
         l, err := ldap.Dial("tcp", config.Global.LDAP_Server)