From owner-freebsd-bugs Sun Jun 30 0: 0:21 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F228337B407 for ; Sun, 30 Jun 2002 00:00:17 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 95EF243E0A for ; Sun, 30 Jun 2002 00:00:17 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g5U70HJU079677 for ; Sun, 30 Jun 2002 00:00:17 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g5U70HGh079676; Sun, 30 Jun 2002 00:00:17 -0700 (PDT) Date: Sun, 30 Jun 2002 00:00:17 -0700 (PDT) Message-Id: <200206300700.g5U70HGh079676@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org Cc: From: Volker Stolz Subject: Re: i386/34010: keyinit takes passwords less than 10 chars, but opiekey forces you to 10 or more Reply-To: Volker Stolz Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The following reply was made to PR i386/34010; it has been noted by GNATS. From: Volker Stolz To: freebsd-gnats-submit@FreeBSD.org Cc: markm@FreeBSD.org, steve@stevenwills.com Subject: Re: i386/34010: keyinit takes passwords less than 10 chars, but opiekey forces you to 10 or more Date: Sun, 30 Jun 2002 08:52:41 +0200 --k1lZvvs/B4yU6o8G Content-Type: text/plain; charset=us-ascii Content-Disposition: inline > How-To-Repeat > run keyinit, set a password of 6 characters. run opiekey [That's not really 'i386' but 'bin'] The man page claims that opie should be downwards compatible to the older s/key stuff. OPIE uses a single header file opie.h to define the limits on passphrases. 'keyinit' has them hardcoded in src/usr.bin/keyinit/skeyinit.c. A quick check after recompiling opie with a lower length limit shows that 'opiekey -4' is indeed compatible to 'key'. I really don't see why '[opie]key' should enforce any restriction on the passphrase, it should be sufficient to do this when initializing the key database. Unluckily, the function 'opiepasscheck' doing the length check is in libopie and used by all parts of the opie system. A separate version for opiekey would be required and wouldn't help on other OPIE installations. It is much easier to change FreeBSD's in-tree s/key stuff: There the length checks are separated, so it'd be possible to raise the minimum passphrase length for new keys w/o breaking existing keys. However this would still give the same error with already existing s/key databases which were installed using a smaller passphrase. In the long run, this would prevent this kind of accident to happen. Regards, Volker --k1lZvvs/B4yU6o8G Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="skey.diff" --- src/usr.bin/keyinit/skeyinit.c.orig Sun Jun 30 08:47:44 2002 +++ src/usr.bin/keyinit/skeyinit.c Sun Jun 30 08:48:52 2002 @@ -152,7 +152,9 @@ if(passwd2[0] == '\0'){ exit(1); } - if(strlen(passwd) < 4 && strlen(passwd2) < 4) { + /* To be compatible with OPIE, require at least + 10 characters. */ + if(strlen(passwd) < 10 && strlen(passwd2) < 10) { fprintf(stderr, "Sorry your password must be longer\n\r"); exit(1); } --k1lZvvs/B4yU6o8G-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message