bug-cvs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: VS: pserver login fails on 9 char passwords

From: Mark D. Baushke
Subject: Re: VS: pserver login fails on 9 char passwords
Date: Mon, 29 Mar 2004 23:31:04 -0800 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mäkeläinen Juha <juha.makelainen@osuuspankki.fi> writes:

> It was not any comma problem. I did also some log writing (a few lines
> later):
> ...
>       else
>       {
>           host_user = NULL;
> #ifdef LOG_AUTHPRIV
>           syslog (LOG_AUTHPRIV | LOG_NOTICE,
>                   "password mismatch for %s: %s vs. %s", username,
>                   crypt(password, found_passwd), found_passwd);
> #endif
> ...
> $ tail /var/adm/syslog/syslog.log
> Jan  7 11:14:22 host1 syslog: password mismatch for user1: F0sPYT3vo0Gmc vs. 
> F0sPYT3vo0GmcT.Z51tttO6Q

Well, that is fairly ugly... Do you really need to use :pserver: here? I
think that using :ext: and having either rsh or ssh authenticate you
would be 'better' for the most part.

If you must use :pserver:, then I suspect you are probably going to be
stuck using --enable-pam for your HPUX system and hope that it fixes
things. This will provide you with a check_system_password() function
that calls pam_authenticate and we can hope that HPUX knows how to do
the right thing for you.

I just don't have any other good ideas for how to pursue this. Your
patch is just not secure enough for general deployment. If you know
of any other function on HPUX to verify a password against a system
stored credential, let us know.

        Thanks
        -- Mark

>     - Juha
> 
> 
> -----Alkuperäinen viesti-----
> Lähettäjä: Derek Robert Price [mailto:derek@ximbiot.com] 
> Lähetetty: 29. maaliskuuta 2004 20:27
> 
> Actually, as near as I can tell, the CVS server has been dealing with
> that problem, inserting the NUL at the comma, since 1.11.7. Why is
> Mäkeläinen still experiencing a problem?
> 
> Not that that is really the correct fix - to quote the comment in server.c:
> 
>     /* Allow for dain bramaged HPUX passwd aging
>      *  - Basically, HPUX adds a comma and some data
>      *    about whether the passwd has expired or not
>      *    on the end of the passwd field.
>      *  - This code replaces the ',' with '\0'.
>      *
>      * FIXME - our workaround is brain damaged too.  I'm
>      * guessing that HPUX WANTED other systems to think the
>      * password was wrong so logins would fail if the
>      * system didn't handle expired passwds and the passwd
>      * might be expired.  I think the way to go here
>      * is with PAM.
>      */
> 
> 
> Patches pensively perused,
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)

iD8DBQFAaSI43x41pRYZE/gRAhD1AKCdR74lOPupOUlCfue7acCAq05hrACePXmh
hTpefV56CUftbkLExMM5ApU=
=JNf1
-----END PGP SIGNATURE-----
reply via email to
[Prev in Thread] Current Thread [Next in Thread]