From 3749e4bbc828cc91887f82727e3d2a6a0a60cbe4 Mon Sep 17 00:00:00 2001 From: Theo de Raadt Date: Tue, 24 Feb 1998 20:46:18 +0000 Subject: catch special password "s/key" and refuse it --- usr.bin/passwd/local_passwd.c | 8 ++- usr.bin/passwd/new_pwd.c | 154 +++++++++++++++++++++--------------------- usr.bin/passwd/yp_passwd.c | 8 ++- 3 files changed, 88 insertions(+), 82 deletions(-) diff --git a/usr.bin/passwd/local_passwd.c b/usr.bin/passwd/local_passwd.c index d45ea80bc48..51056a1d4f3 100644 --- a/usr.bin/passwd/local_passwd.c +++ b/usr.bin/passwd/local_passwd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: local_passwd.c,v 1.8 1997/04/07 06:43:09 millert Exp $ */ +/* $OpenBSD: local_passwd.c,v 1.9 1998/02/24 20:46:14 deraadt Exp $ */ /*- * Copyright (c) 1990 The Regents of the University of California. @@ -35,7 +35,7 @@ #ifndef lint /*static char sccsid[] = "from: @(#)local_passwd.c 5.5 (Berkeley) 5/6/91";*/ -static char rcsid[] = "$OpenBSD: local_passwd.c,v 1.8 1997/04/07 06:43:09 millert Exp $"; +static char rcsid[] = "$OpenBSD: local_passwd.c,v 1.9 1998/02/24 20:46:14 deraadt Exp $"; #endif /* not lint */ #include @@ -126,6 +126,10 @@ getnewpasswd(pw) (void)printf("Password unchanged.\n"); pw_error(NULL, 0, 0); } + if (strcmp(p, "s/key") == 0) { + printf("That password collides with a system feature. Choose another.\n"); + continue; + } if (strlen(p) <= 5 && ++tries < 2) { (void)printf("Please enter a longer password.\n"); continue; diff --git a/usr.bin/passwd/new_pwd.c b/usr.bin/passwd/new_pwd.c index 0ce5177a4e2..5438af259f8 100644 --- a/usr.bin/passwd/new_pwd.c +++ b/usr.bin/passwd/new_pwd.c @@ -59,98 +59,96 @@ static char * check_pw (char *pword) { - if (strlen(pword) == 0) - return "Null passwords are not allowed - Please enter a longer password."; + char *t; + + if (strlen(pword) == 0) + return "Null passwords are not allowed - Please enter a longer password."; - if (strlen(pword) < MIN_KPW_LEN) - return "Password is to short - Please enter a longer password."; + if (strlen(pword) < MIN_KPW_LEN) + return "Password is to short - Please enter a longer password."; - /* Don't allow all lower case passwords regardless of length */ - { - char *t; + if (strcmp(pword, "s/key") == 0) + return "That password collides with a system feature. Choose another.\n"; + + /* Don't allow all lower case passwords regardless of length */ for (t = pword; *t && islower(*t); t++) - ; + ; if (*t == 0) - return "Please don't use an all-lower case password.\n" - "\tUnusual capitalization, delimiter characters or " - "digits are suggested."; - } - - return NULL; + return "Please don't use an all-lower case password.\n" + "\tUnusual capitalization, delimiter characters or " + "digits are suggested."; + return NULL; } int get_pw_new_pwd(char *pword, int pwlen, krb_principal *pr, int print_realm) { - char ppromp[40+ANAME_SZ+INST_SZ+REALM_SZ]; /* for the password prompt */ - char npromp[40+ANAME_SZ+INST_SZ+REALM_SZ]; /* for the password prompt */ - - char p[MAX_K_NAME_SZ]; - - char local_realm[REALM_SZ]; - int status; - char *expl; - - /* - * We don't care about failure; this is to determine whether or - * not to print the realm in the prompt for a new password. - */ - krb_get_lrealm(local_realm, 1); + char ppromp[40+ANAME_SZ+INST_SZ+REALM_SZ]; /* for the password prompt */ + char npromp[40+ANAME_SZ+INST_SZ+REALM_SZ]; /* for the password prompt */ + char p[MAX_K_NAME_SZ]; + char local_realm[REALM_SZ]; + int status; + char *expl; + char *q; - if (strcmp(local_realm, pr->realm)) - print_realm++; + /* + * We don't care about failure; this is to determine whether or + * not to print the realm in the prompt for a new password. + */ + krb_get_lrealm(local_realm, 1); - { - char *q; + if (strcmp(local_realm, pr->realm)) + print_realm++; krb_unparse_name_r(pr, p); - if(print_realm == 0 && (q = strrchr(p, '@'))) - *q = 0; - } + if (print_realm == 0 && (q = strrchr(p, '@'))) + *q = 0; - snprintf(ppromp, sizeof(ppromp), "Old password for %s:", p); - if (read_long_pw_string(pword, pwlen-1, ppromp, 0)) { - fprintf(stderr, "Error reading old password.\n"); - return -1; - } - - status = krb_get_pw_in_tkt(pr->name, pr->instance, pr->realm, - PWSERV_NAME, KADM_SINST, 1, pword); - if (status != KSUCCESS) { - if (status == INTK_BADPW) { - printf("Incorrect old password.\n"); - return -1; - } - else { - fprintf(stderr, "Kerberos error: %s\n", krb_get_err_text(status)); - return -1; + snprintf(ppromp, sizeof(ppromp), "Old password for %s:", p); + if (read_long_pw_string(pword, pwlen-1, ppromp, 0)) { + fprintf(stderr, "Error reading old password.\n"); + return -1; } - } - memset(pword, 0, pwlen); - do { - char verify[MAX_KPW_LEN]; - snprintf(npromp, sizeof(npromp), "New Password for %s:",p); - if (read_long_pw_string(pword, pwlen-1, npromp, 0)) { - fprintf(stderr, - "Error reading new password, password unchanged.\n"); - return -1; - } - expl = check_pw (pword); - if (expl) { - printf("\n\t%s\n\n", expl); - continue; + status = krb_get_pw_in_tkt(pr->name, pr->instance, pr->realm, + PWSERV_NAME, KADM_SINST, 1, pword); + if (status != KSUCCESS) { + if (status == INTK_BADPW) { + printf("Incorrect old password.\n"); + return -1; + } else { + fprintf(stderr, "Kerberos error: %s\n", + krb_get_err_text(status)); + return -1; + } } - /* Now we got an ok password, verify it. */ - snprintf(npromp, sizeof(npromp), "Verifying New Password for %s:", p); - if (read_long_pw_string(verify, MAX_KPW_LEN-1, npromp, 0)) { - fprintf(stderr, - "Error reading new password, password unchanged.\n"); - return -1; - } - if (strcmp(pword, verify) != 0) { - printf("Verify failure - try again\n"); - expl = ""; /* continue */ - } - } while (expl); - return 0; + memset(pword, 0, pwlen); + + do { + char verify[MAX_KPW_LEN]; + snprintf(npromp, sizeof(npromp), "New Password for %s:",p); + if (read_long_pw_string(pword, pwlen-1, npromp, 0)) { + fprintf(stderr, + "Error reading new password, password unchanged.\n"); + return -1; + } + expl = check_pw (pword); + if (expl) { + printf("\n\t%s\n\n", expl); + continue; + } + + /* Now we got an ok password, verify it. */ + snprintf(npromp, sizeof(npromp), + "Verifying New Password for %s:", p); + if (read_long_pw_string(verify, MAX_KPW_LEN-1, npromp, 0)) { + fprintf(stderr, + "Error reading new password, password unchanged.\n"); + return -1; + } + if (strcmp(pword, verify) != 0) { + printf("Verify failure - try again\n"); + expl = ""; /* continue */ + } + } while (expl); + return 0; } diff --git a/usr.bin/passwd/yp_passwd.c b/usr.bin/passwd/yp_passwd.c index 657ed6bdc65..67b622c7af2 100644 --- a/usr.bin/passwd/yp_passwd.c +++ b/usr.bin/passwd/yp_passwd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: yp_passwd.c,v 1.9 1997/09/12 04:12:53 millert Exp $ */ +/* $OpenBSD: yp_passwd.c,v 1.10 1998/02/24 20:46:17 deraadt Exp $ */ /* * Copyright (c) 1988 The Regents of the University of California. @@ -34,7 +34,7 @@ */ #ifndef lint /*static char sccsid[] = "from: @(#)yp_passwd.c 1.0 2/2/93";*/ -static char rcsid[] = "$OpenBSD: yp_passwd.c,v 1.9 1997/09/12 04:12:53 millert Exp $"; +static char rcsid[] = "$OpenBSD: yp_passwd.c,v 1.10 1998/02/24 20:46:17 deraadt Exp $"; #endif /* not lint */ #ifdef YP @@ -207,6 +207,10 @@ getnewpasswd(pw, old_pass) printf("Password unchanged.\n"); pw_error(NULL, 0, 0); } + if (strcmp(p, "s/key") == 0) { + printf("That password collides with a system feature. Choose another.\n"); + continue; + } if (strlen(p) <= 5 && ++tries < 2) { printf("Please enter a longer password.\n"); continue; -- cgit v1.2.3