Bug#368804: Invalid/Lock password options don't work
Roland Gruber [EMAIL PROTECTED] writes: Hi Stephan, Brian May schrieb: If I use the Invalid Password option in the Unix section of a user, I get a password of *. This is not invalid. pam_ldap accepts the password fine and allows the user to log in. Perhaps that means the fault is with pam_ldap, not sure. can you tell me why pam-ldap accepts a * as password? Should LDAP accounts not be formated just like accounts in /etc/(passwd|shadow)? A userPassword value is assumed to be hashed only if prefixed with a hashing mechanism name like {CRYPT}; otherwise it is assumed to be a plaintext, non-encrypted password (see RFC 2256 section 5.36). How do I disable an account, setting no userPassword attribute at all? Either delete all userPassword values, or insert * after the {CRYPT} prefix, e.g. replacing {CRYPT}GIB0bxS41gacQ with {CRYPT}*GIB0bxS41gacQ (examples shown raw, not in Base64). When I set a user password which starts with * then getent shadow shows me an x in the password field. libnss-ldap ignores all userPassword values not prefixed with {CRYPT}, i.e. not hashed according to the /etc/shadow convention. Thanks, Matej -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#368804: Invalid/Lock password options don't work
Hi Stephan, Brian May schrieb: If I use the Invalid Password option in the Unix section of a user, I get a password of *. This is not invalid. pam_ldap accepts the password fine and allows the user to log in. Perhaps that means the fault is with pam_ldap, not sure. can you tell me why pam-ldap accepts a * as password? Should LDAP accounts not be formated just like accounts in /etc/(passwd|shadow)? How do I disable an account, setting no userPassword attribute at all? When I set a user password which starts with * then getent shadow shows me an x in the password field. Greetings Roland -- LDAP Account Manager http://lam.sourceforge.net signature.asc Description: OpenPGP digital signature
Bug#368804: Invalid/Lock password options don't work
Package: ldap-account-manager Version: 1.0.1-1 Severity: critical Tags: security If I use the Invalid Password option in the Unix section of a user, I get a password of *. This is not invalid. pam_ldap accepts the password fine and allows the user to log in. Perhaps that means the fault is with pam_ldap, not sure. If try to change an Invalid Password to a Lock password option nothing changes, the password remains as *: # slapcat [...] userPassword:: Kg== [...] # echo Kg== | mimencode -u | hexdump -C 2a|*| 0001 The help for Invalid password says this option should make the password invalid and the Lock password says this option should prefix the password with a !. Lock password only seems to work if the password was set to a password that is not * beforehand. I consider this a security issue, as it would be easy to set Invalid Password thinking this makes it impossible to log in to the account, when in actual fact not only is it possible to log in, but the password is an easy one. According to http://www.debian.org/Bugs/Developer#severities --- cut --- critical makes unrelated software on the system (or the whole system) break, or causes serious data loss, or introduces a security hole on systems where you install the package. grave makes the package in question unusable or mostly so, or causes data loss, or introduces a security hole allowing access to the accounts of users who use the package. --- cut --- I believe this bug matches the definition of critical. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]