Subject: Re: toor
To: Richard Grace <rgrace@aapt.com.au>
From: Greg A. Woods <woods@weird.com>
List: netbsd-users
Date: 07/23/2002 14:32:01
[ On Tuesday, July 23, 2002 at 16:02:32 (+1000), Richard Grace wrote: ]
> Subject: Re: toor
>
> The password should be an asterisk, or another unmatchable
> pattern (*LK* is common on commercial Unixes).
Strictly an invalid password for a traditional Unix crypt password is
any string that is not empty and is not exactly 13 characters long
and/or which does not consist entirely of characters from the set of 64
characters [./0-9A-Za-z].
The use of the string "*LK*" is not really any more or less common on
commercial Unix implementations, though there are a few instances of
user account management tools which will insert this string in the
password field when an account is disabled. Note though that sometimes
the original string is preserved by prefixing or suffixing it with
"*LK*", or "*LOCK*" (where the asterisks may be replaced by other
special characters, or omitted entirely), thus allowing the account to
be re-enabled with its original password even though the administrator
does not know the password.
On modern NetBSD (i.e. the upcoming 1.6 release, I guess) it's possible
for different password encryption schemes to be used (old, newsalt, and
md5 are the ones I know which are supported), and each of these ciphers
has different output formats, dictating different limits on what field
values are possibly legitimate.
--
Greg A. Woods
+1 416 218-0098; <g.a.woods@ieee.org>; <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>