Subject: bin/457: passwd-checking bug in login ?
To: None <gnats-admin>
From: None <toor@wipux2.wifo.uni-mannheim.de>
List: netbsd-bugs
Date: 09/04/1994 16:05:07
>Number: 457
>Category: bin
>Synopsis: Single '*' as passwd is not locking account.
>Confidential: yes
>Severity: serious
>Priority: high
>Responsible: gnats-admin (Utility Bug People)
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Sep 4 16:05:05 1994
>Originator: Peppermint Lucy
>Organization:
>Release: current 1 week old
>Environment:
all recently compiled
System: NetBSD wipux2.wifo.uni-mannheim.de 1.0_BETA NetBSD 1.0_BETA (WIPUX) #0: Wed Aug 31 16:00:19 MET DST 1994 toor@wipux2.wifo.uni-mannheim.de:/src/src/sys/arch/i386/compile/WIPUX i386
>Description:
First I'm not sure if there is just a fault in my passwd
I'd be pleased if you could tell me that it was not or is
reproducable at your place.
I use a '*' to lock accounts like 'daemon','bin' and I had
also locked 'guest' like this. Somebody just pressed 'return'
when asked for Password and was let in. It seems to work on
all accounts that are locked with a single letter. '!','p'.
Most of the accounts are not in /etc/skeyskeys but it works
for those too.
If I change the passwd to '!!' then the account is properly
locked, which is how I am currently surrounding it.
For all changes I use 'vipw'.
I don't know how long the problem has existed, or whether
it is only my master.passwd. I can produce my master.passwd
if you would like to try but it's large (>400 accounts).
>How-To-Repeat:
create guest account with passwd '*' with vipw. and login
as guest pressing Return when asked for passwd.
>Fix:
unknown
>Audit-Trail:
>Unformatted:
------------------------------------------------------------------------------