Subject: misc/12539: /etc/security doesn't know about long passwords
To: None <gnats-bugs@gnats.netbsd.org>
From: None <smb@mikado.research.att.com>
List: netbsd-bugs
Date: 04/03/2001 15:08:43
>Number: 12539
>Category: misc
>Synopsis: /etc/security doesn't know about long passwords
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: misc-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Apr 03 12:09:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator: Steven M. Bellovin
>Release: 2001/02/06
>Organization:
>Environment:
System: NetBSD mikado.research.att.com 1.5R NetBSD 1.5R (MIKADO) #1: Tue Mar 6 23:53:40 EST 2001 smb@mikado.research.att.com:/usr/src/sys/arch/i386/compile/MIKADO i386
Architecture: i386
Machine: i386
>Description:
If md5 passwords are used, /etc/security complains that the
account has a real shell but is disabled. It checks for
"disabled" by looking for a hashed password length of 13 or 20,
which doesn't match what is currently produced.
>How-To-Repeat:
Change localcipher in /etc/passwd.conf, change a password,
and wait a day...
>Fix:
Have the code look at the type prefix (if any), and check
the length accordingly.
>Release-Note:
>Audit-Trail:
>Unformatted: