Re: CVS commit: basesrc/etc

[John Darrow <John.P.Darrow%wheaton.edu@localhost>]

Perry E. Metzger <perry%netbsd.org@localhost> wrote:
>Log Message:
>Update the password sanity checking thusly:
>1) If a password entry is of the form \*[A-z-]+, do not complain that
>   the account is off but has a valid password. Thus you can do
>   passwords like *ssh to indicate ssh only logins.

>   We should come up with a standard scheme for what various *keywords mean.

Sites may already be using various uses of 'non-standard' passwords for
various things.  For example, on one of our imap servers, we found that
inserting a '*' at the beginning of the encrypted password field was a
nice way of disabling a user's access to their email for policy reasons
(e.g. failure to have a current signed terms and conditions of use
statement on file) without causing mail delivery problems, and without
having to either know or change their password to restore their access
once the policy issue was resolved.

As such, I'd recommend simply allowing any valid printables (except ':',
of course!) after the '*' to not cause a complaint, instead of just [A-z-].
This would allow 'commenting out' hashed passwords under crypt, crypt
w/ NEWSALT, and MD5, along with whatever 'keyword' scheme a site might
use for e.g. ssh-only accounts.

>   Note that if the field length is 13, 20 or 34 you'll still get
>   bitched at.
>   This code should be cleaned up. (So should the password scheme.)

Most definitely!

jdarrow

-- 
John Darrow - Senior Technical Specialist               Office: 630/752-5201
Computing Services, Wheaton College, Wheaton, IL 60187  Fax:    630/752-5968
Pager via email: 6303160707%alphapage.airtouch.com@localhost      Pager:  
630/316-0707
Email:     John.P.Darrow%wheaton.edu@localhost