Subject: bin/12094: /etc/security complains about the use of md5 passwords
To: None <gnats-bugs@gnats.netbsd.org>
From: Andrew Brown <atatat@atatdot.net>
List: netbsd-bugs
Date: 01/31/2001 17:03:21
>Number: 12094
>Category: bin
>Synopsis: /etc/security complains about the use of md5 passwords
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Jan 31 17:06:00 PST 2001
>Closed-Date:
>Last-Modified:
>Originator: TheMan
>Release: current 2001/01/30
>Organization:
none
>Environment:
System: NetBSD this 1.5R NetBSD 1.5R (THAT) #28: Tue Jan 30 16:43:53 EST 2001 andrew@this:/usr/src/sys/arch/i386/compile/THAT i386
>Description:
if i use an md5 password (enabled via passwd.conf), then root gets
mail every night about an illegal password.
>How-To-Repeat:
simply add (or change) your /etc/passwd.conf file to contain
default:
localcipher = md5
then set someone's password. wait until morning. read the security report.
>Fix:
--- security-orig Wed Jan 17 09:09:38 2001
+++ security Thu Jan 25 16:27:25 2001
@@ -86,7 +86,7 @@
printf "Login %s has more than "len" characters.\n", $1;
if ($2 == "")
printf "Login %s has no password.\n", $1;
- if (length($2) != 13 && length($2) != 20 && $2 != "") {
+ if (length($2) != 13 && length($2) != 20 && length($2) != 34 && $2 != "") {
if ($10 == "" || shells[$10])
printf "Login %s is off but still has a valid shell (%s)\n",
$1, $10;
>Release-Note:
>Audit-Trail:
>Unformatted: