[tpop3d-discuss] auth_passwd problems with 1.5.1
Chris Lightfoot
chris at ex-parrot.com
Wed, 20 Aug 2003 20:40:25 +0100
On Wed, Aug 20, 2003 at 02:34:18PM -0500, Travis Miller wrote:
> I already did, check my first email again. :)
sorry.
> Here is something interesting, from auth_passwd.c, I added tiny bit of
> debugging:
>
> /* Now we need to authenticate the user; we will leave finding the
> * mailspool for later. */
>
> printf("Pwd compare: %s => %s => %s\n", pass, crypt(pass,
> user_passwd), user_passwd);
>
> if (!strcmp(crypt(pass, user_passwd), user_passwd)) {
> a = authcontext_new(pw->pw_uid, use_gid ? gid : pw->pw_gid,
> NULL, NULL, pw->pw_dir);
> }
[...]
> Pwd compare: testing => $1OMYGVcfhzuI => $1$o9UzF.MI$32/a2Jf/ExrQJoNFCshVl1
[...]
> crypt() doesn't seem to be doing what it should be.
OK. What seems to be going on here is that your machine
uses crypt-MD5 passwords (the user_passwd hash is long and
starts `$1$...'. Now, what's supposed to happen here is
that the C library detects which sort of password is in
use by the first few characters ($1$ is special), and
computes the hash accordingly. But what you've actually
got is crypt(3) returning a traditional DES password using
$1 as the salt.
Can you try the following program:
#define _XOPEN_SOURCE
#include <unistd.h>
#include <stdio.h>
int main(int argc, char **argv) {
char **a;
for (a = argv + 1; *a; ++a)
printf("%s -> %s\n", *a, crypt(*a, "$1$o9UzF.MI$32/a2Jf/ExrQJoNFCshVl1"));
return 0;
}
-- you may need -lcrypt to compile it. Give it some
passwords on the command line and tell me the results.
Oh, one thing -- what do the other passwords in
/etc/shadow look like? You didn't just copy the entry for
user test over from the other machine?
--
``[David Rice Atchison] wasn't sworn in, he didn't do anything presidential
(I believe he took a nap), and nobody to this day is really sure if he was
president or not.'' (Cecil Adams discusses succession in the US presidency)