[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: comments on this bug report (pam_unix)

On Tue, May 28, Andrew Morgan wrote:

> I'm not confident about accepting this (pam_unix) bug report and patch:
> http://sourceforge.net/tracker/index.php?func=detail&aid=521314&group_id=6663&atid=106663
> Unfortunately, the originator didn't provide contact information, so I'm
> unable to follow up directly with him.
> Basically, I can't confirm what is wrong with the code without the
> patch. The str[n]cmp seems to force the comparison to be abreviated
> string if the salt is smaller than the encrypted password (NUL
> termination is not the issue since everything appears to be NUL
> terminated).
> Is this a legacy issue? (Something like bigcrypt thinks you want a
> bigcrypted password if you type a long password in - even when the
> stored encrypted password was truncated before encryption - that is the
> storage process didn't use bigcrypt?)
> I'd be happy if someone could comment/confirm that this is indeed a
> correct patch.

I don't think that this patch is correct. I can imagine only about two
problems: he uses HP-UX password aging, where extra stuff is appended
to the password field. But the correct solution would be to remove
this extra data (it is seperated with a ","), not to truncate the.

The second one is, that he mix bigcrypt and DES passwords. He has a
des password in the passwd file and use bigcrypt to compare it with
a longer one.

But in every case, this patch is wrong. Extra informations have to be
removed before and in the second case he should fix his configuration.


Thorsten Kukuk       http://www.suse.de/~kukuk/        kukuk@suse.de
SuSE Linux AG        Deutschherrnstr. 15-19        D-90429 Nuernberg
Key fingerprint = A368 676B 5E1B 3E46 CFCE  2D97 F8FD 4E23 56C6 FB4B

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []