NetBSD Problem Report #46226
From www@NetBSD.org Mon Mar 19 09:17:20 2012
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
by www.NetBSD.org (Postfix) with ESMTP id C5D5D63E369
for <gnats-bugs@gnats.NetBSD.org>; Mon, 19 Mar 2012 09:17:19 +0000 (UTC)
Message-Id: <20120319091719.266C663B946@www.NetBSD.org>
Date: Mon, 19 Mar 2012 09:17:19 +0000 (UTC)
From: wlsidorenko@gmail.com
Reply-To: wlsidorenko@gmail.com
To: gnats-bugs@NetBSD.org
Subject: underscore character ignored at the end of password
X-Send-Pr-Version: www-1.0
>Number: 46226
>Category: bin
>Synopsis: underscore character ignored at the end of password
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: martin
>State: analyzed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Mar 19 09:20:00 +0000 2012
>Closed-Date:
>Last-Modified: Mon Mar 19 16:08:16 +0000 2012
>Originator: Vladimir Sidorenko
>Release: 5.1
>Organization:
IMB
>Environment:
NetBSD sidorenko.imb.invention.com 5.1 NetBSD 5.1 (GENERIC) #0: Sun Nov 7 14:39:56 UTC 2010 builds@b6.netbsd.org:/home/builds/ab/netbsd-5-1-RELEASE/i386/201011061943Z-obj/home/builds/ab/netbsd-5-1-RELEASE/src/sys/arch/i386/compile/GENERIC i386
>Description:
It seems, that underscore character is ignored at the end of one's password. For example if I set a password for user xxx to
1suirrel_
I'm able to do `su xxx' by just typing
1suirrel
And `1suirrel_' works too. Though when underscore is used at the beginning of password it seemingly isn't ignored.
/etc/passwd.conf is default as it came with the base system
>cat /etc/passwd.conf
# $NetBSD: passwd.conf,v 1.2 2002/04/15 07:48:00 ad Exp $
#
# passwd.conf(5) -
# password configuration file
#
#default:
# localcipher = md5
# ypcipher = old
>How-To-Repeat:
1) set new password for user xxx
xxx>passwd
Old password:
New password: 1suirrel_
Retype new password: 1suirrel_
2) su to user yyy
3) try to su to xxx again and type 1suirrel as password
yyy> whoami
yyy
yyy> su xxx
Password: 1suirrel
xxx>whoami
xxx
>Fix:
>Release-Note:
>Audit-Trail:
From: Thomas Klausner <wiz@NetBSD.org>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: bin/46226: underscore character ignored at the end of password
Date: Mon, 19 Mar 2012 10:32:13 +0100
I think depending on your config, only the first 8 characters of the password are used.
Thomas
From: Manuel Bouyer <bouyer@antioche.eu.org>
To: gnats-bugs@NetBSD.org
Cc: gnats-admin@NetBSD.org, netbsd-bugs@NetBSD.org
Subject: Re: bin/46226: underscore character ignored at the end of password
Date: Mon, 19 Mar 2012 11:35:57 +0100
On Mon, Mar 19, 2012 at 09:20:01AM +0000, wlsidorenko@gmail.com wrote:
> It seems, that underscore character is ignored at the end of one's password. For example if I set a password for user xxx to
>
> 1suirrel_
>
> I'm able to do `su xxx' by just typing
>
> 1suirrel
>
> And `1suirrel_' works too. Though when underscore is used at the beginning of password it seemingly isn't ignored.
>
> /etc/passwd.conf is default as it came with the base system
> >cat /etc/passwd.conf
> # $NetBSD: passwd.conf,v 1.2 2002/04/15 07:48:00 ad Exp $
> #
> # passwd.conf(5) -
> # password configuration file
> #
>
> #default:
> # localcipher = md5
> # ypcipher = old
>
I think that, by default, localcipher is 'old'. With this cipher, only
the 8 first characters of password are used. So in your test case,
it's the 9th caracter which is ignored, whatever it is.
--
Manuel Bouyer <bouyer@antioche.eu.org>
NetBSD: 26 ans d'experience feront toujours la difference
--
From: David Holland <dholland-bugs@netbsd.org>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: bin/46226: underscore character ignored at the end of password
Date: Mon, 19 Mar 2012 11:19:40 +0000
On Mon, Mar 19, 2012 at 10:40:05AM +0000, Manuel Bouyer wrote:
> I think that, by default, localcipher is 'old'. With this cipher, only
> the 8 first characters of password are used. So in your test case,
> it's the 9th caracter which is ignored, whatever it is.
If so, is there any reason we shouldn't change that? Neither the old
cipher nor 8-character passwords are a very good choice these days.
--
David A. Holland
dholland@netbsd.org
From: Manuel Bouyer <bouyer@antioche.eu.org>
To: gnats-bugs@NetBSD.org
Cc: gnats-admin@NetBSD.org, netbsd-bugs@NetBSD.org, wlsidorenko@gmail.com
Subject: Re: bin/46226: underscore character ignored at the end of password
Date: Mon, 19 Mar 2012 12:53:25 +0100
On Mon, Mar 19, 2012 at 11:20:06AM +0000, David Holland wrote:
> On Mon, Mar 19, 2012 at 10:40:05AM +0000, Manuel Bouyer wrote:
> > I think that, by default, localcipher is 'old'. With this cipher, only
> > the 8 first characters of password are used. So in your test case,
> > it's the 9th caracter which is ignored, whatever it is.
>
> If so, is there any reason we shouldn't change that? Neither the old
> cipher nor 8-character passwords are a very good choice these days.
AFAIK sysinst will choose sha1 cipher by default, and install an
appropriate passwd.conf. I'm not sure changing existing passwd.conf on
upgrade, nor changing the default cipher when no passwd.conf is
present is a good idea. This could give unexpected results for
users upgrading an existing system.
--
Manuel Bouyer <bouyer@antioche.eu.org>
NetBSD: 26 ans d'experience feront toujours la difference
--
From: Wladimir Sidorenko <wlsidorenko@gmail.com>
To: gnats-bugs@netbsd.org
Cc: gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Subject: Re: bin/46226: underscore character ignored at the end of password
Date: Mon, 19 Mar 2012 13:57:44 +0200
--f46d0433a0fa5edb7504bb9745d8
Content-Type: text/plain; charset=UTF-8
Dear all,
Thank you very much for your answers. Indeed after I've removed the
comments from my /etc/passwd.conf file and left
default:
localcipher = md5
The whole new password was considered including the 9-th character. I beg
your pardon for this trouble. Unfortunately I couldn't find any mention of
this limitation neither in man page for passwd nor for passwd.conf. A
friend of mine told me that this limit could have been mentioned during the
installation procedure. But I can't remember now whether it was.
2012/3/19 David Holland <dholland-bugs@netbsd.org>
> The following reply was made to PR bin/46226; it has been noted by GNATS.
>
> From: David Holland <dholland-bugs@netbsd.org>
> To: gnats-bugs@NetBSD.org
> Cc:
> Subject: Re: bin/46226: underscore character ignored at the end of password
> Date: Mon, 19 Mar 2012 11:19:40 +0000
>
> On Mon, Mar 19, 2012 at 10:40:05AM +0000, Manuel Bouyer wrote:
> > I think that, by default, localcipher is 'old'. With this cipher, only
> > the 8 first characters of password are used. So in your test case,
> > it's the 9th caracter which is ignored, whatever it is.
>
> If so, is there any reason we shouldn't change that? Neither the old
> cipher nor 8-character passwords are a very good choice these days.
>
> --
> David A. Holland
> dholland@netbsd.org
>
>
--f46d0433a0fa5edb7504bb9745d8
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Dear all,<br><br>Thank you very much for your answers. Indeed after I'v=
e removed the comments from my /etc/passwd.conf file and left<br><br>defaul=
t:<br>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 localcipher =3D md5<br><br=
>The whole new password was considered including the 9-th character. I beg =
your pardon for this trouble. Unfortunately I couldn't find any mention=
of this limitation neither in man page for passwd nor for passwd.conf. A f=
riend of mine told me that this limit could have been mentioned during the =
installation procedure. But I can't remember now whether it was.<br>
<br><div class=3D"gmail_quote">2012/3/19 David Holland <span dir=3D"ltr">&l=
t;<a href=3D"mailto:dholland-bugs@netbsd.org">dholland-bugs@netbsd.org</a>&=
gt;</span><br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;=
border-left:1px #ccc solid;padding-left:1ex">
<div class=3D"im">The following reply was made to PR bin/46226; it has been=
noted by GNATS.<br>
<br>
</div>From: David Holland <<a href=3D"mailto:dholland-bugs@netbsd.org">d=
holland-bugs@netbsd.org</a>><br>
To: gnats-bugs@NetBSD.org<br>
Cc:<br>
<div class=3D"im">Subject: Re: bin/46226: underscore character ignored at t=
he end of password<br>
</div>Date: Mon, 19 Mar 2012 11:19:40 +0000<br>
<div class=3D"im"><br>
=C2=A0On Mon, Mar 19, 2012 at 10:40:05AM +0000, Manuel Bouyer wrote:<br>
=C2=A0> =C2=A0I think that, by default, localcipher is 'old'. W=
ith this cipher, only<br>
=C2=A0> =C2=A0the 8 first characters of password are used. So in your t=
est case,<br>
=C2=A0> =C2=A0it's the 9th caracter which is ignored, whatever it i=
s.<br>
<br>
</div>=C2=A0If so, is there any reason we shouldn't change that? Neithe=
r the old<br>
=C2=A0cipher nor 8-character passwords are a very good choice these days.<b=
r>
<br>
=C2=A0--<br>
=C2=A0David A. Holland<br>
=C2=A0<a href=3D"mailto:dholland@netbsd.org">dholland@netbsd.org</a><br>
<br>
</blockquote></div><br>
--f46d0433a0fa5edb7504bb9745d8--
From: Matthew Mondor <mm_lists@pulsar-zone.net>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: bin/46226: underscore character ignored at the end of password
Date: Mon, 19 Mar 2012 08:21:46 -0400
On Mon, 19 Mar 2012 13:57:44 +0200
Wladimir Sidorenko <wlsidorenko@gmail.com> wrote:
> The whole new password was considered including the 9-th character. I beg
> your pardon for this trouble. Unfortunately I couldn't find any mention of
> this limitation neither in man page for passwd nor for passwd.conf. A
> friend of mine told me that this limit could have been mentioned during the
> installation procedure. But I can't remember now whether it was.
If you installed using the installer, I'm surprised that old was the
default, however.
But this topic was recently discussed on IRC and it seems that most
people would prefer sysinst to stop asking which cipher to use in the
future and default to sha1.
I think that I agree, as crypt(3) is backwards-compatible (supports
various hash types and can recognize them), and someone who wants to
generate a password database for an old or specific system can do so by
manually configuring passwd.conf(5).
However, it seems that for some modern systems the default number of
rounds is small. Raising this would however affect login performance
considerably on slow systems, though. I wonder if it'd make sense to
consider using a bogomips type heuristic in sysinst to set a decent
value...
--
Matt
From: christos@zoulas.com (Christos Zoulas)
To: gnats-bugs@NetBSD.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org,
wlsidorenko@gmail.com
Cc:
Subject: Re: bin/46226: underscore character ignored at the end of password
Date: Mon, 19 Mar 2012 09:08:22 -0400
On Mar 19, 11:20am, dholland-bugs@netbsd.org (David Holland) wrote:
-- Subject: Re: bin/46226: underscore character ignored at the end of passwor
| The following reply was made to PR bin/46226; it has been noted by GNATS.
|
| From: David Holland <dholland-bugs@netbsd.org>
| To: gnats-bugs@NetBSD.org
| Cc:
| Subject: Re: bin/46226: underscore character ignored at the end of password
| Date: Mon, 19 Mar 2012 11:19:40 +0000
|
| On Mon, Mar 19, 2012 at 10:40:05AM +0000, Manuel Bouyer wrote:
| > I think that, by default, localcipher is 'old'. With this cipher, only
| > the 8 first characters of password are used. So in your test case,
| > it's the 9th caracter which is ignored, whatever it is.
|
| If so, is there any reason we shouldn't change that? Neither the old
| cipher nor 8-character passwords are a very good choice these days.
We should make a note about NIS compatibility and change the default to
something more reasonable.
christos
From: Martin Husemann <martin@duskware.de>
To: Christos Zoulas <christos@zoulas.com>
Cc: gnats-bugs@NetBSD.org
Subject: Re: bin/46226: underscore character ignored at the end of password
Date: Mon, 19 Mar 2012 14:36:42 +0100
On Mon, Mar 19, 2012 at 09:08:22AM -0400, Christos Zoulas wrote:
> We should make a note about NIS compatibility and change the default to
> something more reasonable.
The default *is* sha1 for new installs, with
default:
localcipher = sha1
ypcipher = old
in /etc/passwd.conf.
Martin
From: christos@zoulas.com (Christos Zoulas)
To: gnats-bugs@NetBSD.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org,
wlsidorenko@gmail.com
Cc:
Subject: Re: bin/46226: underscore character ignored at the end of password
Date: Mon, 19 Mar 2012 10:49:59 -0400
On Mar 19, 1:40pm, martin@duskware.de (Martin Husemann) wrote:
-- Subject: Re: bin/46226: underscore character ignored at the end of passwor
| The following reply was made to PR bin/46226; it has been noted by GNATS.
|
| From: Martin Husemann <martin@duskware.de>
| To: Christos Zoulas <christos@zoulas.com>
| Cc: gnats-bugs@NetBSD.org
| Subject: Re: bin/46226: underscore character ignored at the end of password
| Date: Mon, 19 Mar 2012 14:36:42 +0100
|
| On Mon, Mar 19, 2012 at 09:08:22AM -0400, Christos Zoulas wrote:
| > We should make a note about NIS compatibility and change the default to
| > something more reasonable.
|
| The default *is* sha1 for new installs, with
|
| default:
| localcipher = sha1
| ypcipher = old
|
| in /etc/passwd.conf.
|
| Martin
I meant the default for existing installs too. Otherwise people who
keep upgrading will never get the option to use the new ciphers.
christos
From: Martin Husemann <martin@duskware.de>
To: Christos Zoulas <christos@zoulas.com>
Cc: gnats-bugs@NetBSD.org
Subject: Re: bin/46226: underscore character ignored at the end of password
Date: Mon, 19 Mar 2012 15:58:52 +0100
On Mon, Mar 19, 2012 at 10:49:59AM -0400, Christos Zoulas wrote:
> I meant the default for existing installs too. Otherwise people who
> keep upgrading will never get the option to use the new ciphers.
You mean: on updates, check if localcipher in /etc/passwd.conf != sha1,
if so ask:
"If you do not have a strong reason to keep ${oldcipher} for encryption
of local passwords, I would love to fix it (to sha1) for you.
Shall I fix it?"
And then just edit that line?
Martin
P.S.: please feel free to provide a better version of the text, if Julian
does not beat me to it, I'll have a look adding that to sysinst ;-)
From: christos@zoulas.com (Christos Zoulas)
To: Martin Husemann <martin@duskware.de>
Cc: gnats-bugs@NetBSD.org
Subject: Re: bin/46226: underscore character ignored at the end of password
Date: Mon, 19 Mar 2012 12:04:46 -0400
On Mar 19, 3:58pm, martin@duskware.de (Martin Husemann) wrote:
-- Subject: Re: bin/46226: underscore character ignored at the end of passwor
| On Mon, Mar 19, 2012 at 10:49:59AM -0400, Christos Zoulas wrote:
| > I meant the default for existing installs too. Otherwise people who
| > keep upgrading will never get the option to use the new ciphers.
|
| You mean: on updates, check if localcipher in /etc/passwd.conf != sha1,
| if so ask:
|
| "If you do not have a strong reason to keep ${oldcipher} for encryption
| of local passwords, I would love to fix it (to sha1) for you.
| Shall I fix it?"
|
| And then just edit that line?
|
|
| Martin
| P.S.: please feel free to provide a better version of the text, if Julian
| does not beat me to it, I'll have a look adding that to sysinst ;-)
You are still using the old cipher ${cipher}. This cipher limits passwords
to 8 characters, is weak, and required only if you are using NIS. Would
you like me to change it to ${newcipher} for you?
christos
Responsible-Changed-From-To: bin-bug-people->martin
Responsible-Changed-By: martin@NetBSD.org
Responsible-Changed-When: Mon, 19 Mar 2012 16:08:16 +0000
Responsible-Changed-Why:
I will look at it
State-Changed-From-To: open->analyzed
State-Changed-By: martin@NetBSD.org
State-Changed-When: Mon, 19 Mar 2012 16:08:16 +0000
State-Changed-Why:
We understand what needs fixing
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.