From nobody@FreeBSD.org  Thu Jan 17 14:46:08 2002
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id D4C4537B404
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 17 Jan 2002 14:46:07 -0800 (PST)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g0HMk7l05030;
	Thu, 17 Jan 2002 14:46:07 -0800 (PST)
	(envelope-from nobody)
Message-Id: <200201172246.g0HMk7l05030@freefall.freebsd.org>
Date: Thu, 17 Jan 2002 14:46:07 -0800 (PST)
From: Steve Wills <steve@stevenwills.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: keyinit takes passwords less than 10 chars, but opiekey forces you to 10 or more
X-Send-Pr-Version: www-1.0

>Number:         34010
>Category:       bin
>Synopsis:       [patch] keyinit takes passwords less than 10 chars, but opiekey forces you to 10 or more
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    vwe
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jan 17 14:50:02 PST 2002
>Closed-Date:    Sat May 24 15:31:35 UTC 2008
>Last-Modified:  Sat May 24 15:31:35 UTC 2008
>Originator:     Steve Wills
>Release:        4.5 PRERELEASE
>Organization:
>Environment:
FreeBSD weaponsvan 4.5-PRERELEASE FreeBSD 4.5-PRERELEASE #5: Wed Jan  2 15:41:21 EST 2002     swills@weaponsvan:/usr/obj/usr/src/sys/WEAPONSVAN  i386

>Description:
The summary basically says it all. I can keyinit myself a password that I can't generate opie keys.
>How-To-Repeat:
run keyinit, set a password of 6 characters. run opiekey
>Fix:
None, sorry.
>Release-Note:
>Audit-Trail:

From: Volker Stolz <vs@foldr.org>
To: freebsd-gnats-submit@FreeBSD.org
Cc: markm@FreeBSD.org, steve@stevenwills.com
Subject: Re: i386/34010: keyinit takes passwords less than 10 chars, but opiekey forces you to 10 or more
Date: Sun, 30 Jun 2002 08:52:41 +0200

 --k1lZvvs/B4yU6o8G
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 > How-To-Repeat
 > run keyinit, set a password of 6 characters. run opiekey
 
 [That's not really 'i386' but 'bin']
 The man page claims that opie should be downwards compatible
 to the older s/key stuff.
 
 OPIE uses a single header file opie.h to define the limits on
 passphrases. 'keyinit' has them hardcoded in
 src/usr.bin/keyinit/skeyinit.c. A quick check after recompiling
 opie with a lower length limit shows that 'opiekey -4' is
 indeed compatible to 'key'.
 
 I really don't see why '[opie]key' should enforce any restriction
 on the passphrase, it should be sufficient to do this when
 initializing the key database. 
 
 Unluckily, the function 'opiepasscheck' doing the length check
 is in libopie and used by all parts of the opie system. A separate
 version for opiekey would be required and wouldn't help on other
 OPIE installations.
 
 It is much easier to change FreeBSD's in-tree s/key stuff:
 There the length checks are separated, so it'd be possible to
 raise the minimum passphrase length for new keys w/o breaking
 existing keys. However this would still give the same error with
 already existing s/key databases which were installed using a
 smaller passphrase. In the long run, this would prevent this kind
 of accident to happen.
 
 Regards,
    Volker
 
 --k1lZvvs/B4yU6o8G
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: attachment; filename="skey.diff"
 
 --- src/usr.bin/keyinit/skeyinit.c.orig	Sun Jun 30 08:47:44 2002
 +++ src/usr.bin/keyinit/skeyinit.c	Sun Jun 30 08:48:52 2002
 @@ -152,7 +152,9 @@
  		if(passwd2[0] == '\0'){
  			exit(1);
  		}
 -		if(strlen(passwd) < 4 && strlen(passwd2) < 4) {
 +		/* To be compatible with OPIE, require at least
 +                   10 characters. */
 +		if(strlen(passwd) < 10 && strlen(passwd2) < 10) {
  			fprintf(stderr, "Sorry your password must be longer\n\r");
  			exit(1);
  		}
 
 --k1lZvvs/B4yU6o8G--
Responsible-Changed-From-To: freebsd-bugs->vs 
Responsible-Changed-By: dannyboy 
Responsible-Changed-When: Wed Jul 14 23:27:00 GMT 2004 
Responsible-Changed-Why:  
vs, you put a patch in the audit trail--can you take this PR? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=34010 
State-Changed-From-To: open->analyzed 
State-Changed-By: vs 
State-Changed-When: Mon Jul 19 11:19:09 GMT 2004 
State-Changed-Why:  


Responsible-Changed-From-To: vs->freebsd-bugs 
Responsible-Changed-By: vs 
Responsible-Changed-When: Mon Jul 19 11:19:09 GMT 2004 
Responsible-Changed-Why:  
Sorry, I don't do src. Return to the pool. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=34010 
State-Changed-From-To: analyzed->closed 
State-Changed-By: vwe 
State-Changed-When: Sat May 24 15:30:57 UTC 2008 
State-Changed-Why:  

we don't have keyinit since the 5.x days - closing this 


Responsible-Changed-From-To: freebsd-bugs->vwe 
Responsible-Changed-By: vwe 
Responsible-Changed-When: Sat May 24 15:30:57 UTC 2008 
Responsible-Changed-Why:  

track 

http://www.freebsd.org/cgi/query-pr.cgi?pr=34010 
>Unformatted:
