From owner-freebsd-security Wed Oct 17 9: 2: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from nathan-lane.condo.chico.ca.us (adsl-63-207-239-227.dsl.chic01.pacbell.net [63.207.239.227]) by hub.freebsd.org (Postfix) with ESMTP id D744037B403 for ; Wed, 17 Oct 2001 09:01:52 -0700 (PDT) Received: from [192.168.1.10] (localhost.condo.chico.ca.us [127.0.0.1]) by nathan-lane.condo.chico.ca.us (8.10.2/8.10.2) with ESMTP id f9HG0R501510; Wed, 17 Oct 2001 09:00:27 -0700 (PDT) Date: Wed, 17 Oct 2001 09:00:26 -0700 From: Fred Condo To: Max Khon , security@FreeBSD.ORG Subject: Re: [marck@rinet.ru: Re: adduser and passwords] Message-ID: <562796.1003309226@[192.168.1.10]> In-Reply-To: <20011012171022.A24494@iclub.nsu.ru> References: <20011012171022.A24494@iclub.nsu.ru> X-Mailer: Mulberry/2.1.0 (Mac OS X) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --On Friday 12 October 2001 17:10 +0700 Max Khon wrote: > hi, there! > > Seems like a good idea. I thought just about the same today > when I was adding user who will be able to login only using DSA auth. > Any objections if I commit this? I don't believe this will work. A locked password is a literal '*', not a crypted *. I believe the correct quick and dirty patch should have this: $cryptpwd = crypt($password, &salt) if $password ne "*"; But the question about 'use passwords?' needs to be elaborated so that the sysadmin can choose 'Yes', 'No', or 'Locked password', and the reply has to be recorded in the preferences file. > > ----- Forwarded message from Dmitry Morozovsky ----- > > Date: Fri, 12 Oct 2001 13:35:44 +0400 (MSD) > From: Dmitry Morozovsky > To: William Wong > Cc: freebsd-stable@FreeBSD.ORG > Subject: Re: adduser and passwords > > On Fri, 12 Oct 2001, William Wong wrote: > > [...] > > Here is quick'n'dirty fix to adduser (this should be done more politely, > sure ;-) to put '*' when password is empty to not open your system with > passwordless user between adding new user and changing its password. > > Index: adduser.perl > =================================================================== > RCS file: /home/ncvs/src/usr.sbin/adduser/adduser.perl,v > retrieving revision 1.44.2.2 > diff -u -r1.44.2.2 adduser.perl > --- adduser.perl 2001/07/30 23:56:48 1.44.2.2 > +++ adduser.perl 2001/10/12 09:35: > @@ -710,7 +710,7 @@ > if (&new_users_ok) { > $new_users_ok = 1; > > - $cryptpwd = ""; > + $cryptpwd = "*"; > $cryptpwd = crypt($password, &salt) if $password ne ""; > # obscure perl bug > $new_entry = "$name\:" . "$cryptpwd" . > > ----- End forwarded message ----- -- Fred Condo - fred@condo.chico.ca.us Repeal the DMCA. Stop censoring Felten & Ferguson. http://www.macfergus.com/niels/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message