From owner-freebsd-bugs Fri Oct 4 14:30: 4 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 58C2B37B401 for ; Fri, 4 Oct 2002 14:30:03 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A0D3A43E6E for ; Fri, 4 Oct 2002 14:30:02 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id g94LU2Co060603 for ; Fri, 4 Oct 2002 14:30:02 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.6/8.12.6/Submit) id g94LU2L2060602; Fri, 4 Oct 2002 14:30:02 -0700 (PDT) Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D570337B401 for ; Fri, 4 Oct 2002 14:21:58 -0700 (PDT) Received: from www.freebsd.org (www.freebsd.org [216.136.204.117]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2E08D43E75 for ; Fri, 4 Oct 2002 14:21:58 -0700 (PDT) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.12.6/8.12.6) with ESMTP id g94LLv7R069893 for ; Fri, 4 Oct 2002 14:21:57 -0700 (PDT) (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.12.6/8.12.6/Submit) id g94LLvQI069892; Fri, 4 Oct 2002 14:21:57 -0700 (PDT) Message-Id: <200210042121.g94LLvQI069892@www.freebsd.org> Date: Fri, 4 Oct 2002 14:21:57 -0700 (PDT) From: Jeffrey Eugene Crawford To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-1.0 Subject: misc/43674: Able to bypass expired password Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 43674 >Category: misc >Synopsis: Able to bypass expired password >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Oct 04 14:30:02 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Jeffrey Eugene Crawford >Release: CVSup RELENG_4_6 >Organization: INSIGMA IT Engineering >Environment: FreeBSD lissi.crawford.int 4.6.2-RELEASE-p2 FreeBSD 4.6.2-RELEASE-p2 #0: Mon Sep 30 19:44:54 CEST 2002 toor@lissi.crawford.int:/usr/obj/usr/src/sys/LISSI i386 >Description: Playing around with passwords I found that I can set the password to expire in chpass, then when I try to log into that account I'm asked to change the password. One of the requirements is that I provide a password that is at least 6 characters long, if I however simply exit with ^C I'm able to access the account without changing the password >How-To-Repeat: Set password for an account to expire (I used chpass) login to account with current credintals, you are prompted to change the password. Try to change password to one that is less than 6 chars. long, you recieve an error message simply press ^C and you are in the account with an expired password >Fix: >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message