[10807] in bugtraq
Re: useradd -p stores cleartext passwords / shadow-980724
daemon@ATHENA.MIT.EDU (Roche-Kelly, Edmund B.)
Fri Jun 11 18:40:22 1999
Mime-Version: 1.0
Content-Type: text/plain
Message-Id: <A7942428AD51D211907500A0C9DEFBBDE60B82@MSGBOS627NTS.fmr.com>
Date: Fri, 11 Jun 1999 16:02:50 -0400
Reply-To: "Roche-Kelly, Edmund B." <Edmund.B.Roche-Kelly@FMR.COM>
From: "Roche-Kelly, Edmund B." <Edmund.B.Roche-Kelly@FMR.COM>
X-To: "emils@mail.usis.bkc.lv" <emils@mail.usis.bkc.lv>
To: BUGTRAQ@NETSPACE.ORG
I would think the obvious answer is that the password supplied
as an argument to -p is the encrypted password, generated
by any of the mkpasswd utilities.
I agree it's odd that it's not mentioned in the man page.
Ed
> -----Original Message-----
> From: Emils Klotins [SMTP:emils@mail.usis.bkc.lv]
> Sent: Friday, June 11, 1999 6:11 AM
> To: BUGTRAQ@netspace.org
> Subject: useradd -p stores cleartext passwords / shadow-980724
>
> Hello.
>
> Sorry if this is reported already. Didn't find it in Bugtraq archives nor
> in SuSE support db.
>
> OS: SuSE Linux 6.1
> Program: useradd
> Package: shadow-980724
>
> Problem description:
> 'useradd' command has an option '-p password' for specifying password to
> the newly added user.
> (This option btw, does not appear anywhere in useradd man page)
> If you specify this option along with a password, the password will be
> stored in /etc/shadow, but
> in cleartext, creating 2 problems:�
> 1. The password is stored in cleartext
> 2. It of course does not work, for upon login an encrypted version of
> password is expected to be in
> /etc/shadow.
>
> PS. I could agree that specifying password in command-line can be
> considered quite dangerous,
> however, if the option is there, it should either work correctly or not be
> there.
>
>
>
>
> Emils Klotins e-mail: emils@mail.usis.bkc.lv
> Systems Manager URL: http://www.usis.bkc.lv/
> USIS Riga 7 Smilsu Str., Riga LV1050, LATVIA
