-a in opiekey(1) doesn't work

From: Joerg Wunsch (j@ida.interface-business.de)
Date: 08/29/01 

Date: Wed, 29 Aug 2001 12:58:44 +0200
From: Joerg Wunsch <j@ida.interface-business.de>
To: audit@freebsd.org

Dunno who's the best person to tell this. The -a option to opiekey(1)
is supposed to suppress password checking, but closer inspection of
the code reveals that the value of `aflag' is properly set when the
option is provided, but then never used again. This prevents opiekey
from becoming a full replacement of the old skey program for users who
used to have too short secret passwords.

We should either remove it completely if we think providing this
option is a bad idea from the beginning, or make it work as
advertised. The patch below implements the latter. (Btw., the check
against (flags & 2) isn't useful either since flags is passed from the
caller as either 0 or 1, hard-coded. We could set flag 2 when aflag
is set, but that'd mean to modify 6 calls to opiereadpass() instead of
a single line of change as suggested below.)

Index: contrib/opie/opiekey.c
===================================================================
RCS file: /home/ncvs/src/contrib/opie/opiekey.c,v
retrieving revision 1.1.1.2.6.1
diff -u -r1.1.1.2.6.1 opiekey.c
--- contrib/opie/opiekey.c 2000/06/09 07:14:56 1.1.1.2.6.1
+++ contrib/opie/opiekey.c 2001/08/29 10:02:02
@@ -116,7 +116,7 @@
     }
     memset(verify, 0, sizeof(verify));
   }
- if (!(flags & 2) && opiepasscheck(secret)) {
+ if (!(flags & 2) && !aflag && opiepasscheck(secret)) {
     memset(secret, 0, sizeof(secret));
     fprintf(stderr, "Secret pass phrases must be between %d and %d characters long.\n", OPIE_SECRET_MIN, OPIE_SECRET_MAX);
     exit(1); 

-- 
J"org Wunsch					       Unix support engineer
joerg_wunsch@interface-systems.de        http://www.interface-systems.de/~j/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message