Package: ldap-account-manager Version: 1.0.1-1 Severity: critical Tags: security
If I use the "Invalid Password" option in the "Unix" section of a user, I get a password of *. This is not invalid. pam_ldap accepts the password fine and allows the user to log in. Perhaps that means the fault is with pam_ldap, not sure. If try to change an "Invalid Password" to a "Lock password" option nothing changes, the password remains as "*": # slapcat [...] userPassword:: Kg== [...] # echo "Kg==" | mimencode -u | hexdump -C 00000000 2a |*| 00000001 The help for "Invalid password" says this option should make the password invalid and the "Lock password" says this option should prefix the password with a "!". Lock password only seems to work if the password was set to a password that is not "*" beforehand. I consider this a security issue, as it would be easy to set "Invalid Password" thinking this makes it impossible to log in to the account, when in actual fact not only is it possible to log in, but the password is an easy one. According to http://www.debian.org/Bugs/Developer#severities --- cut --- critical makes unrelated software on the system (or the whole system) break, or causes serious data loss, or introduces a security hole on systems where you install the package. grave makes the package in question unusable or mostly so, or causes data loss, or introduces a security hole allowing access to the accounts of users who use the package. --- cut --- I believe this bug matches the definition of "critical". -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
