netbsd-bugs: bin/5413: /etc/security doesn't know 20 byte encrypted passwords

Subject: bin/5413: /etc/security doesn't know 20 byte encrypted passwords
To: None <gnats-bugs@gnats.netbsd.org>
From: None <mason@primenet.com.au>
List: netbsd-bugs
Date: 05/07/1998 00:52:41

>Number:         5413
>Category:       bin
>Synopsis:       /etc/security doesn't know 20 byte encrypted passwords
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    bin-bug-people (Utility Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed May  6 18:05:00 1998
>Last-Modified:
>Originator:     Geoff C. Wing
>Organization:
Geoff Wing   <gcw@pobox.com>            Mobile : 0412 162 441
Work URL: http://www.primenet.com.au/   Ego URL: http://pobox.com/~gcw/
>Release:        6 May 1998 (and long before)
>Environment:
System: NetBSD coral.primenet.com.au 1.3E NetBSD 1.3E (CORAL) #7: Wed May 6 14:32:06 EST 1998 mason@coral.primenet.com.au:/home/src/netbsd/src/sys/arch/i386/compile/CORAL i386


>Description:
	/etc/security knows only about 13 byte encrypted passwords (including
	salt), not about 20 byte versions.

	From crypt(3):
	"The value returned is a NUL-terminated string, 20 bytes in length..."
	"For compatibility with historical versions of crypt(3), the setting
	may consist of 2 bytes of salt...the returned value is a
	NUL-terminated string 13 bytes in length."

>How-To-Repeat:
	Write and use a program which generates 20 byte versions for your
	passwords.  Have /etc/security complain about them.  Get lots of
	mails filled with "Login ... is off but still has a valid shell (...)"
>Fix:

*** security.org	Mon Jan 26 23:43:55 1998
--- security	Thu May  7 10:33:44 1998
***************
*** 72,78 ****
  			printf "Login %s has more than 8 characters.\n", $1;
  		if ($2 == "")
  			printf "Login %s has no password.\n", $1;
! 		if (length($2) != 13 && $2 != "") {
  			if ($10 == "" || shells[$10])
  		    printf "Login %s is off but still has a valid shell (%s)\n",
  				    $1, $10;
--- 72,78 ----
  			printf "Login %s has more than 8 characters.\n", $1;
  		if ($2 == "")
  			printf "Login %s has no password.\n", $1;
! 		if (length($2) != 13 && length($2) != 20 && $2 != "") {
  			if ($10 == "" || shells[$10])
  		    printf "Login %s is off but still has a valid shell (%s)\n",
  				    $1, $10;
>Audit-Trail:
>Unformatted: