Date: Sun, 30 Jun 2002 00:00:17 -0700 (PDT) From: Volker Stolz <vs@foldr.org> To: freebsd-bugs@FreeBSD.org Subject: Re: i386/34010: keyinit takes passwords less than 10 chars, but opiekey forces you to 10 or more Message-ID: <200206300700.g5U70HGh079676@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR i386/34010; it has been noted by GNATS.
From: Volker Stolz <vs@foldr.org>
To: freebsd-gnats-submit@FreeBSD.org
Cc: markm@FreeBSD.org, steve@stevenwills.com
Subject: Re: i386/34010: keyinit takes passwords less than 10 chars, but opiekey forces you to 10 or more
Date: Sun, 30 Jun 2002 08:52:41 +0200
--k1lZvvs/B4yU6o8G
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
> How-To-Repeat
> run keyinit, set a password of 6 characters. run opiekey
[That's not really 'i386' but 'bin']
The man page claims that opie should be downwards compatible
to the older s/key stuff.
OPIE uses a single header file opie.h to define the limits on
passphrases. 'keyinit' has them hardcoded in
src/usr.bin/keyinit/skeyinit.c. A quick check after recompiling
opie with a lower length limit shows that 'opiekey -4' is
indeed compatible to 'key'.
I really don't see why '[opie]key' should enforce any restriction
on the passphrase, it should be sufficient to do this when
initializing the key database.
Unluckily, the function 'opiepasscheck' doing the length check
is in libopie and used by all parts of the opie system. A separate
version for opiekey would be required and wouldn't help on other
OPIE installations.
It is much easier to change FreeBSD's in-tree s/key stuff:
There the length checks are separated, so it'd be possible to
raise the minimum passphrase length for new keys w/o breaking
existing keys. However this would still give the same error with
already existing s/key databases which were installed using a
smaller passphrase. In the long run, this would prevent this kind
of accident to happen.
Regards,
Volker
--k1lZvvs/B4yU6o8G
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="skey.diff"
--- src/usr.bin/keyinit/skeyinit.c.orig Sun Jun 30 08:47:44 2002
+++ src/usr.bin/keyinit/skeyinit.c Sun Jun 30 08:48:52 2002
@@ -152,7 +152,9 @@
if(passwd2[0] == '\0'){
exit(1);
}
- if(strlen(passwd) < 4 && strlen(passwd2) < 4) {
+ /* To be compatible with OPIE, require at least
+ 10 characters. */
+ if(strlen(passwd) < 10 && strlen(passwd2) < 10) {
fprintf(stderr, "Sorry your password must be longer\n\r");
exit(1);
}
--k1lZvvs/B4yU6o8G--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200206300700.g5U70HGh079676>