Subject: bin/5413: /etc/security doesn't know 20 byte encrypted passwords
To: None <gnats-bugs@gnats.netbsd.org>
From: None <mason@primenet.com.au>
List: netbsd-bugs
Date: 05/07/1998 00:52:41
>Number: 5413
>Category: bin
>Synopsis: /etc/security doesn't know 20 byte encrypted passwords
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: bin-bug-people (Utility Bug People)
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed May 6 18:05:00 1998
>Last-Modified:
>Originator: Geoff C. Wing
>Organization:
Geoff Wing <gcw@pobox.com> Mobile : 0412 162 441
Work URL: http://www.primenet.com.au/ Ego URL: http://pobox.com/~gcw/
>Release: 6 May 1998 (and long before)
>Environment:
System: NetBSD coral.primenet.com.au 1.3E NetBSD 1.3E (CORAL) #7: Wed May 6 14:32:06 EST 1998 mason@coral.primenet.com.au:/home/src/netbsd/src/sys/arch/i386/compile/CORAL i386
>Description:
/etc/security knows only about 13 byte encrypted passwords (including
salt), not about 20 byte versions.
From crypt(3):
"The value returned is a NUL-terminated string, 20 bytes in length..."
"For compatibility with historical versions of crypt(3), the setting
may consist of 2 bytes of salt...the returned value is a
NUL-terminated string 13 bytes in length."
>How-To-Repeat:
Write and use a program which generates 20 byte versions for your
passwords. Have /etc/security complain about them. Get lots of
mails filled with "Login ... is off but still has a valid shell (...)"
>Fix:
*** security.org Mon Jan 26 23:43:55 1998
--- security Thu May 7 10:33:44 1998
***************
*** 72,78 ****
printf "Login %s has more than 8 characters.\n", $1;
if ($2 == "")
printf "Login %s has no password.\n", $1;
! if (length($2) != 13 && $2 != "") {
if ($10 == "" || shells[$10])
printf "Login %s is off but still has a valid shell (%s)\n",
$1, $10;
--- 72,78 ----
printf "Login %s has more than 8 characters.\n", $1;
if ($2 == "")
printf "Login %s has no password.\n", $1;
! if (length($2) != 13 && length($2) != 20 && $2 != "") {
if ($10 == "" || shells[$10])
printf "Login %s is off but still has a valid shell (%s)\n",
$1, $10;
>Audit-Trail:
>Unformatted: