[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: md5 passwds not working (suse 7.3) (NOW FIXED)



[SIGH]  Sorry for the flurry but I thought this info should be added
here for the purpose of the archived.  I suspect what Olaf describes
in the attached message is the same problem I was having with my
compile of cups before I upgraded pam.

In short, it is a -lcrypt vs -lcrypto ordering issue in suse's 7.3 and
earlier pam rpms.

Therefore, adding:

        exdport LD_PRELOAD=/usr/lib/libcrypt.so

to the top of the /etc/init.d/cups file probably would have solved
things for me, rather than having to update pam....

-JimC

--- Begin Message ---
I investigated this issue and found the problem...

Note that this has nothing to do with the "OpenSSH and PAM
is broken" issue; that is about password expiry and changing
your password as you try to log on.

The MD5 problem does not occur on all platforms; it only occurs
on 7.3 and earlier. It is caused by a symbol messup with libcrypt
bs OpenSSL's libcrypto. The pam_unix module calls crypt() to
hash the supplied password; normally this will call crypt()
from libcrypt.so (note missing o before dot :). This crypt
implementation understands Linux password extensions, such
as signaling MD5 passwords by prefixing the salt with $1$.

With the new OpenSSH, link order or whatever has changed,
causing it to pick up crypt() from libcrypto.so, which does
not understand these extensions.

As a quick workaround, edit /etc/init.d/sshd and add the following
line before sshd is started:

	export LD_PRELOAD=/usr/lib/libcrypt.so

This should cause the correct crypt function to be picked up.

Sorry for this confusion. We'll make sure to add tests using
md5 passwords to our test database.

Olaf
-- 
Olaf Kirch     |  Anyone who has had to work with X.509 has probably
okir@suse.de   |  experienced what can best be described as
---------------+  ISO water torture. -- Peter Gutmann

-- 
To unsubscribe, e-mail: suse-security-unsubscribe@suse.com
For additional commands, e-mail: suse-security-help@suse.com
Security-related bug reports go to security@suse.de, not here

--- End Message ---

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []