Bug 106714

Summary: YaST Users Module disallows passwords with some ascii characters
Product: [openSUSE] SUSE Linux 10.1 Reporter: Hendrik Vogelsang <hvogel>
Component: YaST2Assignee: Jiří Suchomel <jsuchome>
Status: RESOLVED FIXED QA Contact: Klaus Kämpf <kkaempf>
Severity: Normal    
Priority: P5 - None CC: kukuk, yast2-maintainers
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard:
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Hendrik Vogelsang 2005-08-23 13:37:22 UTC 
it shouldnt. please allow all 7 bit ascii characters. Youre at least missing

'
"
`
<
>

There are tons of ascii tables out there. please double check.
Comment 1 Arvin Schnell 2005-08-23 13:40:40 UTC 
I suppose this is intended to be this way.  Jiri?
Comment 2 Stefan Hundhammer 2005-08-23 13:56:20 UTC 
IIRC we had this discussion on and off for several years. We try to be on the 
safe side to avoid unpleasant side effects - e.g., using the /etc/shadow 
delimiter character ":" or characters that might do unexpected things. All the 
above quote characters and "<" / ">" are asking for trouble IMHO - just think 
of all the things that can happen if they are passed to shell commands, which 
they ultimately will by YaST2. 
 
No, that really is intentional.
Comment 3 Hendrik Vogelsang 2005-08-23 13:59:35 UTC 
I understand that for usernames. But for passwords its unreasonable. You never
pass that character to a shell script and its never stored in clear text in any
file (except something is really wrong). Remember im talking about the password,
not the username/groupname or whatever...
Comment 4 Jiří Suchomel 2005-08-23 14:15:06 UTC 
Thorsten, what do you think?
Comment 5 Thorsten Kukuk 2005-08-23 14:20:06 UTC 
I don't know how YaST2 handles this passwords, so I cannot say if the
problems from #2 are true for YaST2 or not. All other programs I know of
don't have this problems with "<" or ">".

But the comment about ":" is wrong, since you don't write cleartext passwords
into /etc/shadow and the symbols for crypt passwords are "clean" in that way.
Comment 6 Jiří Suchomel 2005-08-24 14:37:32 UTC 
OK, I'll allow them for 10.0; however I won't change the text saying which
characters can be included in password, because we've already passed text freeze.
Comment 7 Jiří Suchomel 2005-08-24 14:57:01 UTC 
done (will be in beta4)
Comment 8 Jiří Suchomel 2005-09-16 09:34:31 UTC 
later is now
Comment 9 Jiří Suchomel 2005-09-16 10:36:12 UTC 
label also fixed
Comment 10 Jiří Suchomel 2006-01-20 12:51:20 UTC 
*** Bug 144060 has been marked as a duplicate of this bug. ***