Bugtraq mailing list archives
Re: RH 6.0 shadow passwords and locking users bug
From: bandregg () REDHAT COM (bandregg () REDHAT COM)
Date: Thu, 2 Sep 1999 09:10:58 -0400
[[root@sideshow /root]# rpm -q shadow-utils shadow-utils-980403-12 [[root@sideshow /root]# rpm -q pam pam-0.66-18 Which are standard with 6.0 and I cannot reproduce this problem. On Mon, 30 Aug 1999 14:07:35 -0700, Prince Ctrl wrote:
Aleph, I do not know whether this has been reported to the list, so I thought I'd throw it out and see if anyone may know of a solution, and/or care to have a technical discussion concerning this bug. When administering a Red Hat 6.0 server and locking users with the 'passwd -l <user>' command, and then unlocking a user with the 'passwd -u <user>' command, a control character is added to the end of a users' encrypted password in the form of a "^Q" in the shadowed passwd file. In our tests, we have found that this only occurs once the user has been "unlocked". It happens whether you are using MD5 encryption or DES...it doesn't matter. I have forwarded this to our Sr. Systems Administrator who said he was going to contact Red Hat today. Confirmation of that call is unknown. OS affected/tested: Red Hat 6.0 Possible problem: It could either be the fact that the 'passwd' binary is actually adding ^Q to the end of a users encrypted password, or it may be something with the way pam is handling this. I know that pam has some .so files which deal with shadowed passwords, but I am no pam expert, so if anyone has some suggestions, corrections, etc., please inform me... Possible solution: Unknown If anyone has any ideas on how to fix this, please let me know... === PrinceC Security Administrator princectrl () rocketmail com _________________________________________________________ DO YOU YAHOO!? Get your free @yahoo.com address at http://mail.yahoo.com
-- Bryan C. Andregg * <bandregg () redhat com> * Red Hat, Inc. 1024/625FA2C5 F5 F3 DC 2E 8E AF 26 B0 2C 31 78 C2 6C FB 02 77 1024/0x46E7A8A2 46EB 61B1 71BD 2960 723C 38B6 21E4 23CC 46E7 A8A2
Current thread:
- RH 6.0 shadow passwords and locking users bug Prince Ctrl (Aug 30)
- Re: RH 6.0 shadow passwords and locking users bug Shuman (Sep 01)
- Re: RH 6.0 shadow passwords and locking users bug Walter Klomp (Sep 04)
- SECURITY: RHSA-1999:033 Buffer overflow problem in the inews program Cristian Gafton (Sep 01)
- Re: RH 6.0 shadow passwords and locking users bug bandregg () REDHAT COM (Sep 02)
- <Possible follow-ups>
- Re: RH 6.0 shadow passwords and locking users bug Alex Alvarez (Sep 06)
- Re: RH 6.0 shadow passwords and locking users bug Prince Ctrl (Sep 09)
- Re: RH 6.0 shadow passwords and locking users bug Shuman (Sep 01)