From owner-freebsd-bugs  Mon Jan 14 10:20:30 2002
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 8D8DE37B41A
	for <freebsd-bugs@hub.freebsd.org>; Mon, 14 Jan 2002 10:20:01 -0800 (PST)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g0EIK1784345;
	Mon, 14 Jan 2002 10:20:01 -0800 (PST)
	(envelope-from gnats)
Received: from woozle.rinet.ru (woozle.rinet.ru [195.54.192.68])
	by hub.freebsd.org (Postfix) with ESMTP id C944E37B402
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 14 Jan 2002 10:16:25 -0800 (PST)
Received: (from marck@localhost)
	by woozle.rinet.ru (8.11.6/8.11.6) id g0EIGNC53786;
	Mon, 14 Jan 2002 21:16:23 +0300 (MSK)
	(envelope-from marck)
Message-Id: <200201141816.g0EIGNC53786@woozle.rinet.ru>
Date: Mon, 14 Jan 2002 21:16:23 +0300 (MSK)
From: Dmitry Morozovsky <marck@rinet.ru>
Reply-To: Dmitry Morozovsky <marck@rinet.ru>
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.113
Subject: bin/33881: adduser additions: selectable crypt scheme; empty passwords
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org


>Number:         33881
>Category:       bin
>Synopsis:       adduser additions: selectable crypt scheme; empty passwords
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jan 14 10:20:01 PST 2002
>Closed-Date:
>Last-Modified:
>Originator:     Dmitry Morozovsky
>Release:        FreeBSD 4-STABLE i386
>Organization:
Cronyx Plus LLC (RiNet ISP)
>Environment:
System: FreeBSD 4-STABLE as of November 2001


	
>Description:

Currently, adduser(8) can't handle selecting password crypt schemes 
because there is no interface to login capabilites nor crypt_set_format().

This leads to unconditionally des-crypted passwords for newly added users,
which is (I suppose) mostly unsuitable.

This patch provides selectable password crypt scheme (written in config
file) as well as ability to ask for scheme for each new user.

Also, it would be frequently useful to set crypted password to '*' 
when the password field is empty -- so behaviour of the question
"Do you want to use empty password" has been changed accordingly.
Possibly, this should be made more user-friendly and/or selectable.

>How-To-Repeat:

Add new user vi adduser(8) with passwd_format=md5 in /etc/login.conf.
Then, crypted password will be in des format.

>Fix:


Index: adduser.perl
===================================================================
RCS file: /home/ncvs/src/usr.sbin/adduser/adduser.perl,v
retrieving revision 1.44.2.3
diff -u -r1.44.2.3 adduser.perl
--- adduser.perl	2001/10/15 13:43:18	1.44.2.3
+++ adduser.perl	2002/01/14 17:39:25
@@ -31,6 +31,8 @@
 sub variables {
     $verbose = 1;		# verbose = [0-2]
     $defaultpasswd = "yes";	# use password for new users
+    $passwdscheme = "md5";	# password scheme (md5/des)
+    $passwdschemeask = "no";	# ask for password scheme in normal case
     $dotdir = "/usr/share/skel"; # copy dotfiles from this dir
     $dotdir_bak = $dotdir;
     $send_message = "/etc/adduser.message"; # send message to new user
@@ -70,7 +72,7 @@
     $groupname ='';		# $groupname{groupname} = gid
     $groupmembers = '';		# $groupmembers{gid} = members of group/kommalist
     $gid = '';			# $gid{gid} = groupname;    gid form group db
-    @group_comments;		# Comments in the group file
+    @group_comments = ();	# Comments in the group file
 
     # shell
     $shell = '';		# $shell{`basename sh`} = sh
@@ -227,7 +229,7 @@
 
 # read /etc/passwd
 sub passwd_read {
-    local($p_username, $pw, $p_uid, $p_gid, $sh, %shlist);
+    local($p_username, $pw, $p_uid, $p_gid, $sh);
 
     print "Check $etc_passwd\n" if $verbose;
     open(P, "$etc_passwd") || die "$etc_passwd: $!\n";
@@ -526,7 +528,7 @@
     print <<EOF;
 
 Name:	  $name
-Password: ****
+Password: **** ($pwdscheme)
 Fullname: $fullname
 Uid:	  $u_id
 Gid:	  $g_id ($group_login)
@@ -641,7 +643,7 @@
 sub new_users_password {
 
     # empty password
-    return "" if $defaultpasswd ne "yes";
+    return '*' if $defaultpasswd ne "yes";
 
     local($password);
 
@@ -658,15 +660,30 @@
 	    last if $password eq $newpass;
 	    print "They didn't match, please try again\n";
 	}
-	elsif (&confirm_yn("Use an empty password?", "yes")) {
+	elsif (&confirm_yn("Use an empty password?", "no")) {
 	    last;
 	}
+	else {
+	    $password = '*';
+	    last;
+	}
     }
 
     return $password;
 }
 
 
+sub new_users_pwdscheme {
+
+    local($scheme) = $passwdscheme;
+
+    return $scheme unless $passwdschemeask eq "yes";
+    $scheme = &confirm_list("Password crypt scheme:", 0,
+	$scheme, ("md5", "des"));
+    return $scheme;
+}
+
+
 sub new_users {
 
     print "\n" if $verbose;
@@ -706,13 +723,17 @@
 
 	$new_groups = &new_users_groups($name, $new_groups);
 	$password = &new_users_password;
+	$pwdscheme = &new_users_pwdscheme 
+		if $password ne "" && $password ne "*";
 
 
 	if (&new_users_ok) {
 	    $new_users_ok = 1;
 
 	    $cryptpwd = "";
-	    $cryptpwd = crypt($password, &salt) if $password ne "";
+	    $cryptpwd = "*" if $password eq "*";
+	    $cryptpwd = crypt($password, &salt) 
+	 	if $password ne "" && $password ne "*";
 	    # obscure perl bug
 	    $new_entry = "$name\:" . "$cryptpwd" .
 		"\:$u_id\:$g_id\:$class\:0:0:$fullname:$userhome:$sh";
@@ -746,6 +767,31 @@
     return "no";    # otherwise
 }
 
+# ask for password scheme
+sub password_scheme {
+    local($p) = $passwdscheme;
+    if ($verbose) {
+	$p = &confirm_yn("Use MD5 passwords", $passwdscheme eq "md5");
+	$changes++ unless $p;
+    }
+    return "md5" if (($passwdscheme eq "md5" && $p) ||
+		     ($passwdscheme eq "des" && !$p));
+    return "des";    # otherwise
+}
+
+# ask for password scheme asking
+sub pwd_scheme_ask {
+    local($p) = $passwdschemeask;
+    if ($verbose) {
+	$p = &confirm_yn("Ask for password crypt scheme for each user",
+	    $passwdschemeask);
+	$changes++ unless $p;
+    }
+    return "yes" if (($passwdschemeask eq "yes" && $p) ||
+		     ($passwdschemeask eq "no" && !$p));
+    return "no";    # otherwise
+}
+
 # misc
 sub check_root {
     die "You are not root!\n" if $< && !$test;
@@ -793,6 +839,8 @@
     local(@itoa64) = ( '0' .. '9', 'a' .. 'z', 'A' .. 'Z' ); # 0 .. 63
 
     warn "calculate salt\n" if $verbose > 1;
+    # make it unambiguously MD5
+    $salt = '$1$' if $pwdscheme eq "md5";
     # to64
     for ($i = 0; $i < 27; $i++) {
 	srand(time + $rand + $$); 
@@ -1298,6 +1346,8 @@
     # prepare some variables
     $send_message = "no" unless $send_message;
     $defaultpasswd = "no" unless $defaultpasswd;
+    $passwdscheme = "md5" unless $passwdscheme;
+    $passwdschemeask = "no" unless $passwdschemeask;
     local($shpref) = "'" . join("', '", @shellpref) . "'";
     local($shpath) = "'" . join("', '", @path) . "'";
     local($user_var) = join('', @user_variable_list);
@@ -1318,6 +1368,14 @@
 # defaultpasswd =  yes | no
 defaultpasswd = $defaultpasswd
 
+# password crypt scheme
+# passwdscheme = md5 | des
+passwdscheme = $passwdscheme
+
+# ask for password scheme for each user
+# passwdschemeask = yes | no
+passwdschemeask = $passwdschemeask
+
 # copy dotfiles from this dir ("/usr/share/skel" or "no")
 dotdir = "$dotdir"
 
@@ -1395,6 +1453,8 @@
 $dotdir = &dotdir_default;	# check $dotdir
 $send_message = &message_default;   # send message to new user
 $defaultpasswd = &password_default; # maybe use password
+$passwdscheme = &password_scheme;   # which password crypt scheme to use
+$passwdschemeask = &pwd_scheme_ask; # ask for pwd crypt scheme for each user
 &config_write(!$verbose);	# write variables in file
 
 # main loop for creating new users
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message