[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Fwd: MD5 passwords]



Hi,

I can confirm problems with MD5 hashed passwords on a big-endian
architectures.  After the recent discussion in pam_unix thread I've verified
that MD5 calculation code compiles with pam_pwdb module in a wrong way.
The result is that hashes calculated big-endian systems are different from
expected.

Last weekend I tried to solve the problem but it appeared to be not so easy as
it might.  In my experiments pam_pwdb module with the correct MD5 routines
failed too because the dynamic linker resolved references to another instance
of MD5 routines in libpwdb.  Version of libpwdb which I used
compiled MD5 code in a wrong way too :-(

So we need to fix Makefiles both in pam_pwdb and libpwdb and implement a
backward compatibility hack somewhere.

Some time ago I used MD5 code in a PAM client agent (was in libpam_client)
with the necessary endianess checks.  But as far as I remember the checks
weren't cross-compile safe.

Best wishes
					Andrey V.
					Savochkin

On Sat, Jun 12, 1999 at 12:38:30PM -0700, Andrew Morgan wrote:
> Anyone (using RH 6.0) want to confirm/deny this?
> 
> Thanks
> 
> Andrew
> 
> Gergely Madarasz <gorgo@caesar.elte.hu> writes:
> 
> > md5 passwords are handled by glibc2 transparently (and libc5 since 5.4.42
> > or something), so just calling crypt() with the whole encrypted
> > password should work. At least it worked for me on Debian/i386 with glibc
> > 2.0 and glibc 2.1.
> 
> I discovered that when reading the glibc documentation. However, it
> still doesn't work. Say that I have the password "gazonk" on this
> system. I.e. that's a password that I can use to login successfully.
> Then look at the line in /etc/passwd, which contains the encrypted
> password
> 
>   $1$salt$ABCX7Qxx
> 
> I wrote a testprograms that calls glibc:s crypt. If I invoke it with
> the salt taken from the passwd file, and my working password, the
> result does _not_ match the line in /etc/passwd. It appears that pam
> and glibc are not compatible. Although both use the same magic cookie
> $1$. I've now disabled md5-crypt on this system and changed my
> password to get a DES-based encrypted password instead. And now it
> works fine.
> 
> Details: I have glibc-2.1.1, and linux-pam-0.66 (that was what was
> supplied with Redhat-6.0). Can anyone confirm this incompatibility?
> One of its consequences is that if you have a system with these
> versions of glibc and linux-pam, and a lot of users with
> md5-passwords, and you decide to uninstall PAM, or replace the
> pam_pwdb module with a module that uses the crypt()-function from
> glibc, those users will no longer be able to log in. If the root
> password was encrypted with md5, you may have to dig out your boot
> floppies (which would be a little difficult for me; I have no floppy
> and no CD in the machine).



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []