Date: Mon, 14 Jan 2002 21:16:23 +0300 (MSK) From: Dmitry Morozovsky <marck@rinet.ru> To: FreeBSD-gnats-submit@freebsd.org Subject: bin/33881: adduser additions: selectable crypt scheme; empty passwords Message-ID: <200201141816.g0EIGNC53786@woozle.rinet.ru>
next in thread | raw e-mail | index | archive | help
>Number: 33881
>Category: bin
>Synopsis: adduser additions: selectable crypt scheme; empty passwords
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Mon Jan 14 10:20:01 PST 2002
>Closed-Date:
>Last-Modified:
>Originator: Dmitry Morozovsky
>Release: FreeBSD 4-STABLE i386
>Organization:
Cronyx Plus LLC (RiNet ISP)
>Environment:
System: FreeBSD 4-STABLE as of November 2001
>Description:
Currently, adduser(8) can't handle selecting password crypt schemes
because there is no interface to login capabilites nor crypt_set_format().
This leads to unconditionally des-crypted passwords for newly added users,
which is (I suppose) mostly unsuitable.
This patch provides selectable password crypt scheme (written in config
file) as well as ability to ask for scheme for each new user.
Also, it would be frequently useful to set crypted password to '*'
when the password field is empty -- so behaviour of the question
"Do you want to use empty password" has been changed accordingly.
Possibly, this should be made more user-friendly and/or selectable.
>How-To-Repeat:
Add new user vi adduser(8) with passwd_format=md5 in /etc/login.conf.
Then, crypted password will be in des format.
>Fix:
Index: adduser.perl
===================================================================
RCS file: /home/ncvs/src/usr.sbin/adduser/adduser.perl,v
retrieving revision 1.44.2.3
diff -u -r1.44.2.3 adduser.perl
--- adduser.perl 2001/10/15 13:43:18 1.44.2.3
+++ adduser.perl 2002/01/14 17:39:25
@@ -31,6 +31,8 @@
sub variables {
$verbose = 1; # verbose = [0-2]
$defaultpasswd = "yes"; # use password for new users
+ $passwdscheme = "md5"; # password scheme (md5/des)
+ $passwdschemeask = "no"; # ask for password scheme in normal case
$dotdir = "/usr/share/skel"; # copy dotfiles from this dir
$dotdir_bak = $dotdir;
$send_message = "/etc/adduser.message"; # send message to new user
@@ -70,7 +72,7 @@
$groupname =''; # $groupname{groupname} = gid
$groupmembers = ''; # $groupmembers{gid} = members of group/kommalist
$gid = ''; # $gid{gid} = groupname; gid form group db
- @group_comments; # Comments in the group file
+ @group_comments = (); # Comments in the group file
# shell
$shell = ''; # $shell{`basename sh`} = sh
@@ -227,7 +229,7 @@
# read /etc/passwd
sub passwd_read {
- local($p_username, $pw, $p_uid, $p_gid, $sh, %shlist);
+ local($p_username, $pw, $p_uid, $p_gid, $sh);
print "Check $etc_passwd\n" if $verbose;
open(P, "$etc_passwd") || die "$etc_passwd: $!\n";
@@ -526,7 +528,7 @@
print <<EOF;
Name: $name
-Password: ****
+Password: **** ($pwdscheme)
Fullname: $fullname
Uid: $u_id
Gid: $g_id ($group_login)
@@ -641,7 +643,7 @@
sub new_users_password {
# empty password
- return "" if $defaultpasswd ne "yes";
+ return '*' if $defaultpasswd ne "yes";
local($password);
@@ -658,15 +660,30 @@
last if $password eq $newpass;
print "They didn't match, please try again\n";
}
- elsif (&confirm_yn("Use an empty password?", "yes")) {
+ elsif (&confirm_yn("Use an empty password?", "no")) {
last;
}
+ else {
+ $password = '*';
+ last;
+ }
}
return $password;
}
+sub new_users_pwdscheme {
+
+ local($scheme) = $passwdscheme;
+
+ return $scheme unless $passwdschemeask eq "yes";
+ $scheme = &confirm_list("Password crypt scheme:", 0,
+ $scheme, ("md5", "des"));
+ return $scheme;
+}
+
+
sub new_users {
print "\n" if $verbose;
@@ -706,13 +723,17 @@
$new_groups = &new_users_groups($name, $new_groups);
$password = &new_users_password;
+ $pwdscheme = &new_users_pwdscheme
+ if $password ne "" && $password ne "*";
if (&new_users_ok) {
$new_users_ok = 1;
$cryptpwd = "";
- $cryptpwd = crypt($password, &salt) if $password ne "";
+ $cryptpwd = "*" if $password eq "*";
+ $cryptpwd = crypt($password, &salt)
+ if $password ne "" && $password ne "*";
# obscure perl bug
$new_entry = "$name\:" . "$cryptpwd" .
"\:$u_id\:$g_id\:$class\:0:0:$fullname:$userhome:$sh";
@@ -746,6 +767,31 @@
return "no"; # otherwise
}
+# ask for password scheme
+sub password_scheme {
+ local($p) = $passwdscheme;
+ if ($verbose) {
+ $p = &confirm_yn("Use MD5 passwords", $passwdscheme eq "md5");
+ $changes++ unless $p;
+ }
+ return "md5" if (($passwdscheme eq "md5" && $p) ||
+ ($passwdscheme eq "des" && !$p));
+ return "des"; # otherwise
+}
+
+# ask for password scheme asking
+sub pwd_scheme_ask {
+ local($p) = $passwdschemeask;
+ if ($verbose) {
+ $p = &confirm_yn("Ask for password crypt scheme for each user",
+ $passwdschemeask);
+ $changes++ unless $p;
+ }
+ return "yes" if (($passwdschemeask eq "yes" && $p) ||
+ ($passwdschemeask eq "no" && !$p));
+ return "no"; # otherwise
+}
+
# misc
sub check_root {
die "You are not root!\n" if $< && !$test;
@@ -793,6 +839,8 @@
local(@itoa64) = ( '0' .. '9', 'a' .. 'z', 'A' .. 'Z' ); # 0 .. 63
warn "calculate salt\n" if $verbose > 1;
+ # make it unambiguously MD5
+ $salt = '$1$' if $pwdscheme eq "md5";
# to64
for ($i = 0; $i < 27; $i++) {
srand(time + $rand + $$);
@@ -1298,6 +1346,8 @@
# prepare some variables
$send_message = "no" unless $send_message;
$defaultpasswd = "no" unless $defaultpasswd;
+ $passwdscheme = "md5" unless $passwdscheme;
+ $passwdschemeask = "no" unless $passwdschemeask;
local($shpref) = "'" . join("', '", @shellpref) . "'";
local($shpath) = "'" . join("', '", @path) . "'";
local($user_var) = join('', @user_variable_list);
@@ -1318,6 +1368,14 @@
# defaultpasswd = yes | no
defaultpasswd = $defaultpasswd
+# password crypt scheme
+# passwdscheme = md5 | des
+passwdscheme = $passwdscheme
+
+# ask for password scheme for each user
+# passwdschemeask = yes | no
+passwdschemeask = $passwdschemeask
+
# copy dotfiles from this dir ("/usr/share/skel" or "no")
dotdir = "$dotdir"
@@ -1395,6 +1453,8 @@
$dotdir = &dotdir_default; # check $dotdir
$send_message = &message_default; # send message to new user
$defaultpasswd = &password_default; # maybe use password
+$passwdscheme = &password_scheme; # which password crypt scheme to use
+$passwdschemeask = &pwd_scheme_ask; # ask for pwd crypt scheme for each user
&config_write(!$verbose); # write variables in file
# main loop for creating new users
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200201141816.g0EIGNC53786>