From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from minnie.tuhs.org (minnie.tuhs.org [45.79.103.53]) by inbox.vuxu.org (OpenSMTPD) with ESMTP id e1cf78fc for ; Sat, 19 Oct 2019 13:12:00 +0000 (UTC) Received: by minnie.tuhs.org (Postfix, from userid 112) id 599529B883; Sat, 19 Oct 2019 23:11:59 +1000 (AEST) Received: from minnie.tuhs.org (localhost [127.0.0.1]) by minnie.tuhs.org (Postfix) with ESMTP id 393B39B57F; Sat, 19 Oct 2019 23:11:27 +1000 (AEST) Authentication-Results: minnie.tuhs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="XjoDXUuP"; dkim-atps=neutral Received: by minnie.tuhs.org (Postfix, from userid 112) id 96B7E9B57F; Sat, 19 Oct 2019 23:11:24 +1000 (AEST) Received: from mail-vs1-f52.google.com (mail-vs1-f52.google.com [209.85.217.52]) by minnie.tuhs.org (Postfix) with ESMTPS id 0525F9B553 for ; Sat, 19 Oct 2019 23:11:24 +1000 (AEST) Received: by mail-vs1-f52.google.com with SMTP id e19so5907955vsb.12 for ; Sat, 19 Oct 2019 06:11:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=A0bnznEpvOzOEwSdS0bs34FcS56yPOm1pP0ptBE7GcE=; b=XjoDXUuPq2UB2jh776ynieliw3dpyVBbvIePza/85AyBAnr+yRXJQ9XFheseqzFkk9 ikYjdLUc6ILqU3t5OnEUGcuEDzsGB+D/l0nv+uFmLgOb7EasL/Csze80vwrF4NtoqAnu Q+jOUtPSexfhvppOsWpLQgyt+w0y6pzg1TS7+G36L2oFFf/3kHtQq6G3Fn8xtopnlI/S Mtgk63oOpBLSFL6qCRlgShruabI0fKz4HGITDUmzZedJVTuAZrlU7BvAgHJqW6847F1E pjctYy/D5WaPy6Gr4PAeinXYbDOHZsiTH46cZG+iKzIexJtKUutkaSJ5rdkAwBhi+KBY KZjQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=A0bnznEpvOzOEwSdS0bs34FcS56yPOm1pP0ptBE7GcE=; b=a1cEw/1sbuDx1aezTZPfDguTEWfX1DSH4GkXKk15wj2HVKcVssJjl1XkDXaJ2poygS 1S+uzMymRZJTzWvBhb7u2kYkYcgTdOori/wrbh1capy8UL3bxnsqBwRMULanFBpbyw+t 9Y2zR1jitD5zcSMqyAJLhm0CkLHyF6zs4Du+MzTaV1az+EL1/WVi+yAojOPaD6c4P8zE Fp+bnuYHYSk/qKmlk+8DTNsrgFLVorStzyOhLQs780K8zdhoX4n96aYTkoDMdDkV3ik0 ejQOcb4BAy9f/8Kd00JaOk6vPn3t7vESuLoH93fq7D5z4aGBizHIG29zhvXJO44JKeLv Ollw== X-Gm-Message-State: APjAAAUXyJlVqJLyYBKlgMhjfH2dTlzEaXZNORMwNTNWYwHhSqarP16q w1znKcsmwV8sCDA5DnZfMQbSY52gVyILQRRm+oSHRA== X-Google-Smtp-Source: APXvYqy79BPkIJJQ5zskbbxU3mzy7CxN0GVqGeJRNDmvlUW92/k803NfrHLOauSgW387BsFjBPYERVJnJahe5Mw1Gsk= X-Received: by 2002:a67:685:: with SMTP id 127mr8787355vsg.169.1571490682990; Sat, 19 Oct 2019 06:11:22 -0700 (PDT) MIME-Version: 1.0 References: <1570559927.29337.for-standards-violators@oclsc.org> <2e6e1005-3bbf-5dcc-3fcc-099864c752dc@kilonet.net> <8088e5bd-3530-d3e1-8066-db6ea9389dea@kilonet.net> <3054d652-7320-a99b-df24-67001f974d39@kilonet.net> <8736g06byw.fsf@vuxu.org> <90ffe509-76b5-6629-c55a-7785815fda2e@kilonet.net> In-Reply-To: From: "John P. Linderman" Date: Sat, 19 Oct 2019 09:11:10 -0400 Message-ID: To: Royce Williams Content-Type: multipart/alternative; boundary="000000000000ed76960595432f4d" Subject: Re: [TUHS] Recovered /etc/passwd files X-BeenThere: tuhs@minnie.tuhs.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: The Unix Heritage Society mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: The Unix Heritage Society Errors-To: tuhs-bounces@minnie.tuhs.org Sender: "TUHS" --000000000000ed76960595432f4d Content-Type: text/plain; charset="UTF-8" Related story. A user came to us with a problem while we were in our computer room. We asked him to log in at the VAX console, so we could look into the problem. Moments later, dozens of users flooded in, asking what had happened. Seems the first user had a CTRL-P in his password, which, when entered at the console, triggered the VAX to pause. On Fri, Oct 18, 2019 at 2:34 PM Royce Williams wrote: > On Fri, Oct 18, 2019 at 7:01 AM Royce Williams > wrote: > > > What original caught my attention was the logic behind enforcing > password quality in passwd.c during a specific era of BSD code, which > exited ambiguously in a double negative of sorts, where control characters > were not disallowed during password entry. (I'll try to dig up the source.) > > Specifically, see the eras in which passwd.c looked something like this: > > > https://github.com/dank101/4.2BSD/blob/708b3890ac0c2f034f2840b5ee9125b3c83a05bc/bin/passwd.c#L69-L107 > > while (c = *p++) { > if (c >= 'a' && c <= 'z') > flags |= 2; > else if (c >= 'A' && c <= 'Z') > flags |= 4; > else if (c >= '0' && c <= '9') > flags |= 1; > else > flags |= 8; > } > if (flags >= 7 && pwlen >= 4) > ok = 1; > > I was intrigued that the "special characters" character set was > defined negatively, such that control characters would also count. > > > Royce > --000000000000ed76960595432f4d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Rel= ated story. A user came to us with a problem while we were in our computer = room. We asked him to log in at the VAX console, so we could look into the = problem. Moments later, dozens of users flooded in, asking what had happene= d. Seems the first user had a CTRL-P in his password, which, when entered a= t the console, triggered the VAX to pause.

On Fri, Oct 18, 2019 at 2:3= 4 PM Royce Williams <royce@tec= hsolvency.com> wrote:
On Fri, Oct 18, 2019 at 7:01 AM Royce Williams <royce@techsolvency.com= > wrote:

> What original caught my attention was the logic behind enforcing passw= ord quality in passwd.c during a specific era of BSD code, which exited amb= iguously in a double negative of sorts, where control characters were not d= isallowed during password entry. (I'll try to dig up the source.)

Specifically, see the eras in which passwd.c looked something like this:
https://github.com/dank101/4.2BSD/blob/708b3890ac0c2f034f2840b5ee9125b3c83= a05bc/bin/passwd.c#L69-L107

=C2=A0 =C2=A0 =C2=A0 =C2=A0 while (c =3D *p++) {
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 if (c >=3D '= a' && c <=3D 'z')
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 flags |=3D 2;
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 else if (c >=3D = 'A' && c <=3D 'Z')
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 flags |=3D 4;
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 else if (c >=3D = '0' && c <=3D '9')
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 flags |=3D 1;
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 else
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 flags |=3D 8;
=C2=A0 =C2=A0 =C2=A0 =C2=A0 }
=C2=A0 =C2=A0 =C2=A0 =C2=A0 if (flags >=3D 7 && pwlen >=3D 4)=
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ok =3D 1;

I was intrigued that the "special characters" character set was defined negatively, such that control characters would also count.


Royce
--000000000000ed76960595432f4d--