[tpop3d-discuss] auth_passwd problems with 1.5.1

Chris Lightfoot chris at ex-parrot.com
Wed, 20 Aug 2003 20:40:25 +0100

On Wed, Aug 20, 2003 at 02:34:18PM -0500, Travis Miller wrote:
> I already did, check my first email again. :)


> Here is something interesting, from auth_passwd.c, I added tiny bit of 
> debugging:
>     /* Now we need to authenticate the user; we will leave finding the
>      * mailspool for later. */
>     printf("Pwd compare: %s => %s => %s\n", pass, crypt(pass, 
> user_passwd), user_passwd);
>     if (!strcmp(crypt(pass, user_passwd), user_passwd)) {
>         a = authcontext_new(pw->pw_uid, use_gid ? gid : pw->pw_gid, 
> NULL, NULL, pw->pw_dir);
>     }
> Pwd compare: testing => $1OMYGVcfhzuI => $1$o9UzF.MI$32/a2Jf/ExrQJoNFCshVl1
> crypt() doesn't seem to be doing what it should be.

OK. What seems to be going on here is that your machine
uses crypt-MD5 passwords (the user_passwd hash is long and
starts `$1$...'. Now, what's supposed to happen here is
that the C library detects which sort of password is in
use by the first few characters ($1$ is special), and
computes the hash accordingly. But what you've actually
got is crypt(3) returning a traditional DES password using
$1 as the salt.

Can you try the following program:

    #define _XOPEN_SOURCE
    #include <unistd.h>
    #include <stdio.h>

    int main(int argc, char **argv) {
        char **a;
        for (a = argv + 1; *a; ++a)
            printf("%s -> %s\n", *a, crypt(*a, "$1$o9UzF.MI$32/a2Jf/ExrQJoNFCshVl1"));
        return 0;

-- you may need -lcrypt to compile it. Give it some
passwords on the command line and tell me the results.

Oh, one thing -- what do the other passwords in
/etc/shadow look like? You didn't just copy the entry for
user test over from the other machine?

``[David Rice Atchison] wasn't sworn in, he didn't do anything presidential
  (I believe he took a nap), and nobody to this day is really sure if he was
  president or not.'' (Cecil Adams discusses succession in the US presidency)