Date: Fri, 4 Oct 2002 14:21:57 -0700 (PDT) From: Jeffrey Eugene Crawford <crawford.jeffrey.eugene@bigfoot.com> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/43674: Able to bypass expired password Message-ID: <200210042121.g94LLvQI069892@www.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 43674
>Category: misc
>Synopsis: Able to bypass expired password
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Oct 04 14:30:02 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator: Jeffrey Eugene Crawford
>Release: CVSup RELENG_4_6
>Organization:
INSIGMA IT Engineering
>Environment:
FreeBSD lissi.crawford.int 4.6.2-RELEASE-p2 FreeBSD 4.6.2-RELEASE-p2 #0: Mon Sep 30 19:44:54 CEST 2002 toor@lissi.crawford.int:/usr/obj/usr/src/sys/LISSI i386
>Description:
Playing around with passwords I found that I can set the password to expire in chpass, then when I try to log into that account I'm asked to change the password. One of the requirements is that I provide a password that is at least 6 characters long, if I however simply exit with ^C I'm able to access the account without changing the password
>How-To-Repeat:
Set password for an account to expire (I used chpass) login to account with current credintals, you are prompted to change the password. Try to change password to one that is less than 6 chars. long, you recieve an error message simply press ^C and you are in the account with an expired password
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200210042121.g94LLvQI069892>