[tpop3d-discuss] auth_passwd problems with 1.5.1
Travis Miller
tmiller at web-1hosting.net
Wed, 20 Aug 2003 14:51:38 -0500
Here ya go:
root@mailtest:/home/test# gcc test.c -lcrypt -o test
root@mailtest:/home/test# ./test testing agoodpassword abadpassword
somethingelse
testing -> $1$o9UzF.MI$32/a2Jf/ExrQJoNFCshVl1
agoodpassword -> $1$o9UzF.MI$MooNo.cO0PLenET975/jv.
abadpassword -> $1$o9UzF.MI$5Lb0poYietAxafbw.60mP/
somethingelse -> $1$o9UzF.MI$Kda3SqBDUHL53/S2Kk1nN0
Now... it seems as if it working ok here?!
Chris Lightfoot wrote:
> On Wed, Aug 20, 2003 at 02:34:18PM -0500, Travis Miller wrote:
>
>>I already did, check my first email again. :)
>
>
> sorry.
>
>
>>Here is something interesting, from auth_passwd.c, I added tiny bit of
>>debugging:
>>
>> /* Now we need to authenticate the user; we will leave finding the
>> * mailspool for later. */
>>
>> printf("Pwd compare: %s => %s => %s\n", pass, crypt(pass,
>>user_passwd), user_passwd);
>>
>> if (!strcmp(crypt(pass, user_passwd), user_passwd)) {
>> a = authcontext_new(pw->pw_uid, use_gid ? gid : pw->pw_gid,
>>NULL, NULL, pw->pw_dir);
>> }
>
> [...]
>
>>Pwd compare: testing => $1OMYGVcfhzuI => $1$o9UzF.MI$32/a2Jf/ExrQJoNFCshVl1
>
> [...]
>
>>crypt() doesn't seem to be doing what it should be.
>
>
> OK. What seems to be going on here is that your machine
> uses crypt-MD5 passwords (the user_passwd hash is long and
> starts `$1$...'. Now, what's supposed to happen here is
> that the C library detects which sort of password is in
> use by the first few characters ($1$ is special), and
> computes the hash accordingly. But what you've actually
> got is crypt(3) returning a traditional DES password using
> $1 as the salt.
>
> Can you try the following program:
>
> #define _XOPEN_SOURCE
> #include <unistd.h>
> #include <stdio.h>
>
> int main(int argc, char **argv) {
> char **a;
> for (a = argv + 1; *a; ++a)
> printf("%s -> %s\n", *a, crypt(*a, "$1$o9UzF.MI$32/a2Jf/ExrQJoNFCshVl1"));
> return 0;
> }
>
> -- you may need -lcrypt to compile it. Give it some
> passwords on the command line and tell me the results.
>
>
>
> Oh, one thing -- what do the other passwords in
> /etc/shadow look like? You didn't just copy the entry for
> user test over from the other machine?
>