s->cur_prompt->instruction =
dupprintf("%.*s", prompt_len, prompt);
s->cur_prompt->instr_reqd = TRUE;
+ /*
+ * There's no explicit requirement in the protocol
+ * for the "old" passwords in the original and
+ * password-change messages to be the same, and
+ * apparently some Cisco kit supports password change
+ * by the user entering a blank password originally
+ * and the real password subsequently, so,
+ * reluctantly, we prompt for the old password again.
+ *
+ * (On the other hand, some servers don't even bother
+ * to check this field.)
+ */
+ add_prompt(s->cur_prompt,
+ dupstr("Current password (blank for previously entered password): "),
+ FALSE, SSH_MAX_PASSWORD_LEN);
add_prompt(s->cur_prompt, dupstr("Enter new password: "),
FALSE, SSH_MAX_PASSWORD_LEN);
add_prompt(s->cur_prompt, dupstr("Confirm new password: "),
}
/*
- * Check the two passwords match.
+ * If the user specified a new original password
+ * (IYSWIM), overwrite any previously specified
+ * one.
+ * (A side effect is that the user doesn't have to
+ * re-enter it if they louse up the new password.)
+ */
+ if (s->cur_prompt->prompts[0]->result[0]) {
+ memset(s->password, 0, strlen(s->password));
+ /* burn the evidence */
+ sfree(s->password);
+ s->password =
+ dupstr(s->cur_prompt->prompts[0]->result);
+ }
+
+ /*
+ * Check the two new passwords match.
*/
- got_new = (strcmp(s->cur_prompt->prompts[0]->result,
- s->cur_prompt->prompts[1]->result)
+ got_new = (strcmp(s->cur_prompt->prompts[1]->result,
+ s->cur_prompt->prompts[2]->result)
== 0);
if (!got_new)
/* They don't. Silly user. */
dont_log_password(ssh, s->pktout, PKTLOG_BLANK);
ssh2_pkt_addstring(s->pktout, s->password);
ssh2_pkt_addstring(s->pktout,
- s->cur_prompt->prompts[0]->result);
+ s->cur_prompt->prompts[1]->result);
free_prompts(s->cur_prompt);
end_log_omission(ssh, s->pktout);
ssh2_pkt_send(ssh, s->pktout);