[Pkg-shadow-devel] Bug#1124835: Bug#1124835: chpasswd hash check goes too far
Serge E. Hallyn
serge at hallyn.com
Sat Jan 10 21:18:17 GMT 2026
On Sat, Jan 10, 2026 at 09:21:43PM +0100, Marc Haber wrote:
> After sleeping about this for a few nights and updating again to -4, I
> now have the following:
>
> |root at swivel-sid-buildd-amd64-q6ep:/srv# mkpasswd --hash=yescrypt foobar
> |$y$j9T$itVnlTtTBYo6Q2bWxDWxp.$iTCN.Ho/RhgFmNRMi7Un1zWjCQH/wEb1x2HD16pAbF8
> |root at swivel-sid-buildd-amd64-q6ep:/srv# useradd aust
> |root at swivel-sid-buildd-amd64-q6ep:/srv# echo 'aust:!' | chpasswd --encrypted
> |chpasswd: (line 1, user aust) invalid password hash
> |chpasswd: error detected, changes ignored
> |root at swivel-sid-buildd-amd64-q6ep:/srv# echo 'aust:*' | chpasswd --encrypted
> |root at swivel-sid-buildd-amd64-q6ep:/srv# echo 'aust:!$y$j9T$itVnlTtTBYo6Q2bWxDWxp.$iTCN.Ho/RhgFmNRMi7Un1zWjCQH/wEb1x2HD16pAbF8' | chpasswd --encrypted
> |root at swivel-sid-buildd-amd64-q6ep:/srv# echo 'aust:*$y$j9T$itVnlTtTBYo6Q2bWxDWxp.$iTCN.Ho/RhgFmNRMi7Un1zWjCQH/wEb1x2HD16pAbF8' | chpasswd --encrypted
> |chpasswd: (line 1, user aust) invalid password hash
> |chpasswd: error detected, changes ignored
> |root at swivel-sid-buildd-amd64-q6ep:/srv#
>
> ! => not accepted
> * => accepted
> !(valid hash) => accepted
> *(valid hash) => not accepted
>
> Is this really intended? Isnt this introducing semantics that were never
> intended? Ths TUHS Mailing List has basically confirmed that ! and *
> just are strings that can never come out of hashing a valid password.
>
> Greetings
> Marc
So, just to be clear, you think all would be fine if we accept * followed
by anything, and ! not followed by anything?
More information about the Pkg-shadow-devel
mailing list