>Number:         12094
>Category:       bin
>Synopsis:       /etc/security complains about the use of md5 passwords
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Jan 31 17:06:00 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     TheMan
>Release:        current 2001/01/30
>Organization:
none
>Environment:
	
System: NetBSD this 1.5R NetBSD 1.5R (THAT) #28: Tue Jan 30 16:43:53 EST 2001     andrew@this:/usr/src/sys/arch/i386/compile/THAT i386

>Description:

if i use an md5 password (enabled via passwd.conf), then root gets
mail every night about an illegal password.

>How-To-Repeat:

simply add (or change) your /etc/passwd.conf file to contain

    default:
        localcipher = md5

then set someone's password.  wait until morning.  read the security report.

>Fix:

--- security-orig	Wed Jan 17 09:09:38 2001
+++ security	Thu Jan 25 16:27:25 2001
@@ -86,7 +86,7 @@
 			printf "Login %s has more than "len" characters.\n", $1;
 		if ($2 == "")
 			printf "Login %s has no password.\n", $1;
-		if (length($2) != 13 && length($2) != 20 && $2 != "") {
+		if (length($2) != 13 && length($2) != 20 && length($2) != 34 && $2 != "") {
 			if ($10 == "" || shells[$10])
 		    printf "Login %s is off but still has a valid shell (%s)\n",
 				    $1, $10;
>Release-Note:
>Audit-Trail:
>Unformatted: