[18820] in Athena Bugs
xss manpage: -passwd
daemon@ATHENA.MIT.EDU (zeno@MIT.EDU)
Mon Feb 26 16:45:03 2001
From: zeno@MIT.EDU
Message-Id: <200102262144.QAA13645@denmark-vesey.mit.edu>
To: bugs@MIT.EDU
Date: Mon, 26 Feb 2001 16:44:53 -0500
System name: m56-129-14.mit.edu
Type and version: Ultra-5_10 8.4.20
The xss manpage says:
You can generate a password to use with this with
the following perl command:
perl -e 'print crypt(<>, "xx") . "\n";'
where xx can by any two-character alphanumeric
string. Type the command and press return, then type
a password and press return. It will output the
crypted version.
Aside from the minor "by" typo there, this is dangerously
erroneous: the string read in by perl will still have
its final newline, and crypt() will give an encrypted string
that is not a hash of just the plaintext password-sans-newline,
as needed by xss. Much better to use:
perl -lne 'print crypt($_, "xx"); exit'
which nicely handles the newline both going in and printing
out, avoiding the slightly confusing-looking . "\n" business.
(The exit is just to make it quit after one iteration.)
A user who does what the manpage currently says, therefore finding
that the intended password doesn't unlock xss, might not
know about the option of falling back to the kerberos password.
Thanks;
Richard Duffy <zeno@mit.edu>
