[10802] in bugtraq
useradd -p stores cleartext passwords / shadow-980724
daemon@ATHENA.MIT.EDU (Emils Klotins)
Fri Jun 11 15:50:57 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7BIT
Message-Id: <199906110707.KAA14041@omega.bkc.lv>
Date: Fri, 11 Jun 1999 10:11:29 EET
Reply-To: emils@mail.usis.bkc.lv
From: Emils Klotins <emils@MAIL.USIS.BKC.LV>
To: BUGTRAQ@NETSPACE.ORG
Hello.
Sorry if this is reported already. Didn't find it in Bugtraq archives nor in SuSE support db.
OS: SuSE Linux 6.1
Program: useradd
Package: shadow-980724
Problem description:
'useradd' command has an option '-p password' for specifying password to the newly added user.
(This option btw, does not appear anywhere in useradd man page)
If you specify this option along with a password, the password will be stored in /etc/shadow, but
in cleartext, creating 2 problems:�
1. The password is stored in cleartext
2. It of course does not work, for upon login an encrypted version of password is expected to be in
/etc/shadow.
PS. I could agree that specifying password in command-line can be considered quite dangerous,
however, if the option is there, it should either work correctly or not be there.
Emils Klotins e-mail: emils@mail.usis.bkc.lv
Systems Manager URL: http://www.usis.bkc.lv/
USIS Riga 7 Smilsu Str., Riga LV1050, LATVIA
