catch special password "s/key" and refuse it

3 files changed, 88 insertions, 82 deletions

diff --git a/usr.bin/passwd/local_passwd.c b/usr.bin/passwd/local_passwd.c
index d45ea80bc48..51056a1d4f3 100644
--- a/usr.bin/passwd/local_passwd.c
+++ b/usr.bin/passwd/local_passwd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: local_passwd.c,v 1.8 1997/04/07 06:43:09 millert Exp $	*/
+/*	$OpenBSD: local_passwd.c,v 1.9 1998/02/24 20:46:14 deraadt Exp $	*/
 
 /*-
  * Copyright (c) 1990 The Regents of the University of California.
@@ -35,7 +35,7 @@
 
 #ifndef lint
 /*static char sccsid[] = "from: @(#)local_passwd.c	5.5 (Berkeley) 5/6/91";*/
-static char rcsid[] = "$OpenBSD: local_passwd.c,v 1.8 1997/04/07 06:43:09 millert Exp $";
+static char rcsid[] = "$OpenBSD: local_passwd.c,v 1.9 1998/02/24 20:46:14 deraadt Exp $";
 #endif /* not lint */
 
 #include <sys/types.h>
@@ -126,6 +126,10 @@ getnewpasswd(pw)
 			(void)printf("Password unchanged.\n");
 			pw_error(NULL, 0, 0);
 		}
+		if (strcmp(p, "s/key") == 0) {
+			printf("That password collides with a system feature. Choose another.\n");
+			continue;
+		}
 		if (strlen(p) <= 5 && ++tries < 2) {
 			(void)printf("Please enter a longer password.\n");
 			continue;
diff --git a/usr.bin/passwd/new_pwd.c b/usr.bin/passwd/new_pwd.c
index 0ce5177a4e2..5438af259f8 100644
--- a/usr.bin/passwd/new_pwd.c
+++ b/usr.bin/passwd/new_pwd.c
@@ -59,98 +59,96 @@
 static char *
 check_pw (char *pword)
 {
-    if (strlen(pword) == 0)
-	return "Null passwords are not allowed - Please enter a longer password.";
+	char *t;
+
+	if (strlen(pword) == 0)
+		return "Null passwords are not allowed - Please enter a longer password.";
     
-    if (strlen(pword) < MIN_KPW_LEN)
-	return "Password is to short - Please enter a longer password.";
+	if (strlen(pword) < MIN_KPW_LEN)
+		return "Password is to short - Please enter a longer password.";
     
-    /* Don't allow all lower case passwords regardless of length */
-    {
-	char *t;
+	if (strcmp(pword, "s/key") == 0)
+		return "That password collides with a system feature. Choose another.\n";
+
+	/* Don't allow all lower case passwords regardless of length */
 	for (t = pword; *t && islower(*t); t++)
-	    ;
+		;
 	if (*t == 0)
-	    return "Please don't use an all-lower case password.\n"
-	      "\tUnusual capitalization, delimiter characters or "
-	      "digits are suggested.";
-    }
-
-    return NULL;
+		return "Please don't use an all-lower case password.\n"
+		    "\tUnusual capitalization, delimiter characters or "
+		    "digits are suggested.";
+	return NULL;
 }
 
 int
 get_pw_new_pwd(char *pword, int pwlen, krb_principal *pr, int print_realm)
 {
-    char ppromp[40+ANAME_SZ+INST_SZ+REALM_SZ]; /* for the password prompt */
-    char npromp[40+ANAME_SZ+INST_SZ+REALM_SZ]; /* for the password prompt */
-    
-    char p[MAX_K_NAME_SZ];
-    
-    char local_realm[REALM_SZ];
-    int status;
-    char *expl;
-    
-    /*
-     * We don't care about failure; this is to determine whether or
-     * not to print the realm in the prompt for a new password. 
-     */
-    krb_get_lrealm(local_realm, 1);
+	char ppromp[40+ANAME_SZ+INST_SZ+REALM_SZ]; /* for the password prompt */
+	char npromp[40+ANAME_SZ+INST_SZ+REALM_SZ]; /* for the password prompt */
+	char p[MAX_K_NAME_SZ];
+	char local_realm[REALM_SZ];
+	int status;
+	char *expl;
+	char *q;
     
-    if (strcmp(local_realm, pr->realm))
-	print_realm++;
+	/*
+	 * We don't care about failure; this is to determine whether or
+	 * not to print the realm in the prompt for a new password. 
+	 */
+	krb_get_lrealm(local_realm, 1);
     
-    {
-	char *q;
+	if (strcmp(local_realm, pr->realm))
+		print_realm++;
 	krb_unparse_name_r(pr, p);
-	if(print_realm == 0 && (q = strrchr(p, '@')))
-	    *q = 0;
-    }
+	if (print_realm == 0 && (q = strrchr(p, '@')))
+		*q = 0;
 
-    snprintf(ppromp, sizeof(ppromp), "Old password for %s:", p);
-    if (read_long_pw_string(pword, pwlen-1, ppromp, 0)) {
-	fprintf(stderr, "Error reading old password.\n");
-	return -1;
-    }
-
-    status = krb_get_pw_in_tkt(pr->name, pr->instance, pr->realm, 
-			       PWSERV_NAME, KADM_SINST, 1, pword);
-    if (status != KSUCCESS) {
-	if (status == INTK_BADPW) {
-	    printf("Incorrect old password.\n");
-	    return -1;
-	}
-	else {
-	    fprintf(stderr, "Kerberos error: %s\n", krb_get_err_text(status));
-	    return -1;
+	snprintf(ppromp, sizeof(ppromp), "Old password for %s:", p);
+	if (read_long_pw_string(pword, pwlen-1, ppromp, 0)) {
+		fprintf(stderr, "Error reading old password.\n");
+		return -1;
 	}
-    }
-    memset(pword, 0, pwlen);
 
-    do {
-	char verify[MAX_KPW_LEN];
-	snprintf(npromp, sizeof(npromp), "New Password for %s:",p);
-	if (read_long_pw_string(pword, pwlen-1, npromp, 0)) {
-	    fprintf(stderr,
-		    "Error reading new password, password unchanged.\n");
-	    return -1;
-        }
-	expl = check_pw (pword);
-	if (expl) {
-	    printf("\n\t%s\n\n", expl);
-	    continue;
+	status = krb_get_pw_in_tkt(pr->name, pr->instance, pr->realm, 
+	    PWSERV_NAME, KADM_SINST, 1, pword);
+	if (status != KSUCCESS) {
+		if (status == INTK_BADPW) {
+			printf("Incorrect old password.\n");
+			return -1;
+		} else {
+			fprintf(stderr, "Kerberos error: %s\n",
+			    krb_get_err_text(status));
+			return -1;
+		}
 	}
-	/* Now we got an ok password, verify it. */
-	snprintf(npromp, sizeof(npromp), "Verifying New Password for %s:", p);
-	if (read_long_pw_string(verify, MAX_KPW_LEN-1, npromp, 0)) {
-	    fprintf(stderr,
-		    "Error reading new password, password unchanged.\n");
-	    return -1;
-        }
-	if (strcmp(pword, verify) != 0) {
-	    printf("Verify failure - try again\n");
-	    expl = "";		/* continue */
-	}
-    } while (expl);
-    return 0;
+	memset(pword, 0, pwlen);
+
+	do {
+		char verify[MAX_KPW_LEN];
+		snprintf(npromp, sizeof(npromp), "New Password for %s:",p);
+		if (read_long_pw_string(pword, pwlen-1, npromp, 0)) {
+			fprintf(stderr,
+			    "Error reading new password, password unchanged.\n");
+			return -1;
+		}
+		expl = check_pw (pword);
+		if (expl) {
+			printf("\n\t%s\n\n", expl);
+			continue;
+		}
+
+		/* Now we got an ok password, verify it. */
+		snprintf(npromp, sizeof(npromp),
+		    "Verifying New Password for %s:", p);
+		if (read_long_pw_string(verify, MAX_KPW_LEN-1, npromp, 0)) {
+			fprintf(stderr,
+			    "Error reading new password, password unchanged.\n");
+			return -1;
+		}
+		if (strcmp(pword, verify) != 0) {
+			printf("Verify failure - try again\n");
+			expl = "";		/* continue */
+		}
+	} while (expl);
+	return 0;
 }
diff --git a/usr.bin/passwd/yp_passwd.c b/usr.bin/passwd/yp_passwd.c
index 657ed6bdc65..67b622c7af2 100644
--- a/usr.bin/passwd/yp_passwd.c
+++ b/usr.bin/passwd/yp_passwd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: yp_passwd.c,v 1.9 1997/09/12 04:12:53 millert Exp $	*/
+/*	$OpenBSD: yp_passwd.c,v 1.10 1998/02/24 20:46:17 deraadt Exp $	*/
 
 /*
  * Copyright (c) 1988 The Regents of the University of California.
@@ -34,7 +34,7 @@
  */
 #ifndef lint
 /*static char sccsid[] = "from: @(#)yp_passwd.c	1.0 2/2/93";*/
-static char rcsid[] = "$OpenBSD: yp_passwd.c,v 1.9 1997/09/12 04:12:53 millert Exp $";
+static char rcsid[] = "$OpenBSD: yp_passwd.c,v 1.10 1998/02/24 20:46:17 deraadt Exp $";
 #endif /* not lint */
 
 #ifdef	YP
@@ -207,6 +207,10 @@ getnewpasswd(pw, old_pass)
 			printf("Password unchanged.\n");
 			pw_error(NULL, 0, 0);
 		}
+		if (strcmp(p, "s/key") == 0) {
+			printf("That password collides with a system feature. Choose another.\n");
+			continue;
+		}
 		if (strlen(p) <= 5 && ++tries < 2) {
 			printf("Please enter a longer password.\n");
 			continue;