Your message dated Thu, 15 Jun 2006 23:47:11 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Fixed in NMU of ldap-account-manager 1.0.2-1.1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: ldap-account-manager
Version: 1.0.1-1
Severity: critical
Tags: security
If I use the "Invalid Password" option in the "Unix" section of a user,
I get a password of *. This is not invalid. pam_ldap accepts the
password fine and allows the user to log in. Perhaps that means the
fault is with pam_ldap, not sure.
If try to change an "Invalid Password" to a "Lock password" option
nothing changes, the password remains as "*":
# slapcat
[...]
userPassword:: Kg==
[...]
# echo "Kg==" | mimencode -u | hexdump -C
00000000 2a |*|
00000001
The help for "Invalid password" says this option should make the
password invalid and the "Lock password" says this option should prefix
the password with a "!". Lock password only seems to work if the
password was set to a password that is not "*" beforehand.
I consider this a security issue, as it would be easy to set "Invalid
Password" thinking this makes it impossible to log in to the account,
when in actual fact not only is it possible to log in, but the password
is an easy one. According to
http://www.debian.org/Bugs/Developer#severities
--- cut ---
critical
makes unrelated software on the system (or the whole system)
break, or causes serious data loss, or introduces a security
hole on systems where you install the package.
grave
makes the package in question unusable or mostly so, or causes
data loss, or introduces a security hole allowing access to the
accounts of users who use the package.
--- cut ---
I believe this bug matches the definition of "critical".
--- End Message ---
--- Begin Message ---
Version: 1.0.2-1.1
tags 368804 - fixed
thanks
I've NMUed for this bug (fixing the bug to use versioning instead of the
"fixed" tag, to ease tracking through testing); here's the changelog:
On Thu, Jun 15, 2006 at 02:35:31PM -0700, Steinar H. Gunderson wrote:
> ldap-account-manager (1.0.2-1.1) unstable; urgency=low
> .
> * Non-maintainer upload.
> * Make the "Invalid password" option set the hash to "{CRYPT}*" (which is
> an
> invalid hash) instead of "*" (which means the plaintext password "*").
> (Closes: #368804)
Note that the bug was partially bogus; only "invalid password" was wrongly
implemented, while "lock account" was (AFAICS) correctly implemented.
/* Steinar */
--
Homepage: http://www.sesse.net/
--- End Message ---
