[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: pserver login fails on 9 char passwords
From: |
Mark D. Baushke |
Subject: |
Re: pserver login fails on 9 char passwords |
Date: |
Mon, 29 Mar 2004 00:29:34 -0800 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mäkeläinen Juha <juha.makelainen@osuuspankki.fi> writes:
> Resending a lost bug report:
>
> -----Original-----
> Sender: Mäkeläinen Juha
> Sent: 15 Jan 2004 14:04
> Reciever: 'bug-cvs@gnu.org'
> Subject: pserver login fails on 9 char passwords
>
>
> This problem was found when using cvs-1.11.11 server on HP-UX and
> wincvs client.
>
> If user password is 9 chars long, the crypted password from client is
> 13 characters but password got from HP-UX secure password system is 24
> characters. The server.c module can not handle that.
The HP/UX passwords have been problems in the past. There was a hack
that stuck a NUL byte at the first comma in the found_passwd because of
extra glop that the HP/UX system added.
Your patch makes me uncomfortable because it may be possible tye choose
a password that is encrypted with the same salt as the found_passwd and
happens to encode to a substring of the real found_passwd without being
a valid password on the system.
I would rather understand what HP/UX is doing to the found_password such
that it is so much longer than the crypted password.
BTW: The patch you sent was somewhat corrupt in that the '== 0)' of the
previous if expression was on the same line as a C preprocessor '#else'
statement.
Thanks,
-- Mark
> Login fails and wincvs client says:
>
> cvs -d :pserver:u123456@our-host.fi:/cvs/fdits login
> Logging in to :pserver:u123456@our-host.fi:2401:/cvs/fdits
> cvs [login aborted]: authorization failed: server our-host.fi rejected access
> to /cvs/fdits for user u123456
>
> Server (HP-UX B.11.11 U 9000/800) syslog.log message:
>
> Jan 13 09:54:54 our-host syslog: login failure (for /cvs/fdits) Jan 13
> 09:56:16 our-host syslog: password mismatch for u543251: F0sPYT3vo0Gmc vs.
> F0sPYT3vo0GmcT.Z51tttO6Q
>
>
> I have used pre-compiled versions like cvs-1.11.8 and also compiled my own
> cvs-1.11.11 using these options:
>
> CFLAGS="-g +DAportable -DLOG_AUTHPRIV" ./configure \
> --without-gssapi --enable-server-flow-control
>
> (In this system HAVE_GETSPNAM is defined.)
>
>
> This is my temprary workaround to cvs-1.11.11, which seems to work:
>
> $ LC_ALL=C diff -c server.c.orig server.c
>
> *** server.c.orig Thu Dec 18 19:59:46 2003
> --- server.c Wed Jan 14 15:42:50 2004
> ***************
> *** 5508,5514 ****
> --- 5508,5526 ----
> if (*found_passwd)
> {
> /* user exists and has a password */
> + #ifdef FD_JM_20040114
> + /* In HP-UX B.11.11 found_passwd is occasionally longer
> + * than crypted passwd here (24 compared to 13 bytes).
> + * This happened when the user password length is 9 characters.
> + * FIXME - Our workaround is based on my belief that crypted
> + * password is never very short. Is it true?
> + * Now we compare only by the common part of both strings.
> + */
> + char *crypt_passwd = crypt (password, found_passwd);
> + if (strncmp (found_passwd, crypt_passwd, strlen (crypt_passwd))
> + == 0) #else
> if (strcmp (found_passwd, crypt (password, found_passwd)) == 0)
> + #endif
> {
> host_user = xstrdup (username);
> }
>
>
> --
> Juha Mäkeläinen / Systems Specialist
> FD Finanssidata Oy / P.O. Box 308 / FIN-00101 Helsinki
> juha.makelainen@osuuspankki.fi
> t. +358-9-404 3075 / +358-40 715 5151 / fax +358-9-404 3007
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)
iD8DBQFAZ95u3x41pRYZE/gRAsHDAJ4/XMEiMDo4Dviz6CS9tKyxNbvkjACfa6Ds
O9Ydbe8zvF2+T/bzOK0kHLM=
=4XS5
-----END PGP SIGNATURE-----