>Number:         26490
>Category:       misc
>Synopsis:       /etc/security is not aware of sha1 passwords
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    misc-bug-people
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Sat Jul 31 15:42:00 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator:     Denis Lagno
>Release:        NetBSD 2.0G
>Organization:
World
>Environment:
System: NetBSD flamante.local.domain 2.0G NetBSD 2.0G (FLAMANTE) #0: Mon Jul 26 07:27:26 MSD 2004 dina@flamante.local.domain:/volatile/worksrc/netbsd-current/src/sys/arch/i386/compile/FLAMANTE i386
Architecture: i386
Machine: i386
>Description:
recently sha1 support was added to passwd machinery
but it is still not supported by other utilities
One example is pwhash utility.
Second example is /etc/security script
>How-To-Repeat:
settle for sha1 in /etc/passwd.conf
set password for some user
Then get daily security output:

Checking the /etc/master.passwd file:
Login xxx is off but still has a valid shell (/usr/local/bin/zsh)
>Fix:
/etc/security can be fixed something like this:

--- security.1.91	2004-07-23 21:16:59.000000000 +0400
+++ security	2004-07-31 16:56:05.000000000 +0400
@@ -229,6 +229,7 @@
 		    	length($2) != 20 &&
 		    	$2 !~ /^\$1/ &&
 		    	$2 !~ /^\$2/ &&
+		    	$2 !~ /^\$sha1/ &&
 		    	$2 != "" &&
 			(permit_star || $2 != "*") &&
 		    	$2 !~ /^\*[A-z-]+$/ &&
>Release-Note:
>Audit-Trail:
>Unformatted: