From owner-freebsd-security  Wed May 10  6:32:41 2000
Delivered-To: freebsd-security@freebsd.org
Received: from mercure.univ-ubs.fr (mercure.univ-ubs.fr [194.199.58.4])
	by hub.freebsd.org (Postfix) with ESMTP id 2B05437B7AC
	for <security@FreeBSD.ORG>; Wed, 10 May 2000 06:32:34 -0700 (PDT)
	(envelope-from beurton@moorea.univ-ubs.fr)
Received: from moorea.univ-ubs.fr (beurton@moorea.univ-ubs.fr [193.52.49.20])
          by mercure.univ-ubs.fr (8.9.1a/jtpda-5.3.1) with ESMTP id PAA19860
          for <security@FreeBSD.ORG>; Wed, 10 May 2000 15:32:12 +0200
Received: (from beurton@localhost)
	by moorea.univ-ubs.fr (8.9.3/8.9.3/$RCSfile: nisdebian-client.mc,v $Revision: 1.2 $) id PAA24088
	for security@FreeBSD.ORG; Wed, 10 May 2000 15:32:00 +0200
Date: Wed, 10 May 2000 15:32:00 +0200
From: "Luc.Beurton" <Luc.Beurton@univ-ubs.fr>
To: security@FreeBSD.ORG
Subject: Re: envy.vuurwerk.nl daily run output
Message-ID: <20000510153159.A23888@moorea.univ-ubs.fr>
References: <20000509215515.B29766@cc942873-a.ewndsr1.nj.home.com> <20000509150609.L42267@vuurwerk.nl> <20000509215515.B29766@cc942873-a.ewndsr1.nj.home.com> <20000510140053.G46065@vuurwerk.nl> <3.0.5.32.20000510055246.009b9100@infidel.boolean.net> <20000510145508.M46065@vuurwerk.nl>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95.3i
In-Reply-To: <20000510145508.M46065@vuurwerk.nl>; from Peter van Dijk on Wed, May 10, 2000 at 02:55:08PM +0200
X-Whois: LB895-ARIN
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> > Actually, the use of "password" could mask a change... consider
> > 
> >  < root:(password):0:0::0:0:Charlie &:/root:/usr/local/bin/bash
> >  ---
> >  > root:(password):0:0::0:0:Charlie &:/root:/usr/local/bin/tcsh
> > 
> > The admin would likely assume only the shell has changed even
> > though password may have changed.
> 
> Now _there_ is a good point. We need password1/password2 for security.
> Damn.

Maybe, the solution could be to crypt the crypted password like this ?
awk 'BEGIN{FS=":";OFS=":"}($2){CMD="echo \""$2"\"| /sbin/md5";CMD|getline $2;close(CMD)}{print}'
Or add flag -d -f to md5, something like :
diff /var/backup/master.passwd.bak /etc/master.passwd | md5 -d: -f2 

I don't know if md5 is secure enough with a small string .


Luc Beurton.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message