netbsd-bugs: /etc/security and passwd.conf interact poorly [okay. Too dumb to use send-pr.]

Subject: /etc/security and passwd.conf interact poorly [okay. Too dumb to use send-pr.]
To: None <netbsd-bugs@netbsd.org>
From: Martin Weber <Ephaeton@gmx.net>
List: netbsd-bugs
Date: 11/29/2001 17:06:42

Sorry for not using send-pr, but it doesn't work for me. Keeps
nagging about I should have a Category and Release line. Look
at the file and judge yourself if it has or not. I cut out the
SEND-PR headers. Growl.
------------------------problem report attempt after (a)bort --------------

To: gnats-bugs@gnats.netbsd.org
Subject: /etc/security interacts poorly with passwd.conf1
From: phaeton
Reply-To: phaeton
Submitter-Id:   net
Originator:     Martin Weber  
Organization:
        Entropie Erlangen
        <organization of PR author (multiple lines)>
Confidential:   no
Synopsis:       /etc/security does not understand md5 passwords
Severity:       non-critical
Priority:       low
Category:       misc
Class:          sw-bug
Release:        NetBSD 1.5Y
Environment:
System: NetBSD phaeton.entropie.net 1.5Y NetBSD 1.5Y (PHAETON) #0: Tue Nov 27 00:32:08 CET 2001 root@phaeton.entropie.net:/usr/src/sys
/arch/i386/compile/PHAETON i386
Architecture: i386
Machine: i386
Description:
        First of all apologies if I sent this multiple times, I had a broken sendmail.cf
        in the middle.

        When you activate md5 passwords via localcipher=md5 in /etc/passwd.conf,
        the typically daily running security script /etc/security stumbles over
        user which have md5 passwords, and reports those logins as "off".

        The problem is in following /etc/security:
        #       $NetBSD: security,v 1.44.4.1 2000/07/03 02:27:20 sommerfeld Exp $
        #       from: @(#)security      8.1 (Berkeley) 6/9/93

        The problematic code is the following (awk) :

                if (length($2) != 13 && length($2) != 20 && $2 != "") {
                        if ($10 == "" || shells[$10])
                    printf "Login %s is off but still has a valid shell (%s)\n",
                                    $1, $10;

        md5 passwords are not (due to my experience) guaranteed to be exactly 13
        or 20 characters in length.

How-To-Repeat:
        install following passwd.conf:
        --- snip ---
        default:
                localcipher = md5
        --- eof ---
        and do passwd someuser to create a md5 password
        and run /bin/sh /etc/security
        or simply less /etc/master.passwd and count characters of password field
Fix:
        dunno, don't know the md5 algorithm. But imho /etc/security should for sure
        read in /etc/passwd.conf and decide then which passwords are okay and which not.