Subject: bin/457: passwd-checking bug in login ?
To: None <gnats-admin>
From: None <>
List: netbsd-bugs
Date: 09/04/1994 16:05:07
>Number:         457
>Category:       bin
>Synopsis:       Single '*' as passwd is not locking account.
>Confidential:   yes
>Severity:       serious
>Priority:       high
>Responsible:    gnats-admin (Utility Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Sep  4 16:05:05 1994
>Originator:     Peppermint Lucy
>Release:        current 1 week old
all recently compiled
System: NetBSD 1.0_BETA NetBSD 1.0_BETA (WIPUX) #0: Wed Aug 31 16:00:19 MET DST 1994 i386

	First I'm not sure if there is just a fault in my passwd
	I'd be pleased if you could tell me that it was not or is
	reproducable at your place.
	I use a '*' to lock accounts like 'daemon','bin' and I had
	also locked 'guest' like this. Somebody just pressed 'return'
	when asked for Password and was let in. It seems to work on
	all accounts that are locked with a single letter. '!','p'.
	Most of the accounts are not in /etc/skeyskeys but it works
	for those too.
	If I change the passwd to '!!' then the account is properly
	locked, which is how I am currently surrounding it.
	For all changes I use 'vipw'.
	I don't know how long the problem has existed, or whether
	it is only my master.passwd. I can produce my master.passwd
	if you would like to try but it's large (>400 accounts).
	create guest account with passwd '*' with vipw. and login
	as guest pressing Return when asked for passwd.