[tpop3d-discuss] auth_passwd problems with 1.5.1

Travis Miller tmiller at web-1hosting.net
Wed, 20 Aug 2003 14:51:38 -0500


Here ya go:

root@mailtest:/home/test# gcc test.c -lcrypt -o test
root@mailtest:/home/test# ./test testing agoodpassword abadpassword 
somethingelse
testing -> $1$o9UzF.MI$32/a2Jf/ExrQJoNFCshVl1
agoodpassword -> $1$o9UzF.MI$MooNo.cO0PLenET975/jv.
abadpassword -> $1$o9UzF.MI$5Lb0poYietAxafbw.60mP/
somethingelse -> $1$o9UzF.MI$Kda3SqBDUHL53/S2Kk1nN0

Now... it seems as if it working ok here?!




Chris Lightfoot wrote:
> On Wed, Aug 20, 2003 at 02:34:18PM -0500, Travis Miller wrote:
> 
>>I already did, check my first email again. :)
> 
> 
> sorry.
> 
> 
>>Here is something interesting, from auth_passwd.c, I added tiny bit of 
>>debugging:
>>
>>    /* Now we need to authenticate the user; we will leave finding the
>>     * mailspool for later. */
>>
>>    printf("Pwd compare: %s => %s => %s\n", pass, crypt(pass, 
>>user_passwd), user_passwd);
>>
>>    if (!strcmp(crypt(pass, user_passwd), user_passwd)) {
>>        a = authcontext_new(pw->pw_uid, use_gid ? gid : pw->pw_gid, 
>>NULL, NULL, pw->pw_dir);
>>    }
> 
>     [...]
> 
>>Pwd compare: testing => $1OMYGVcfhzuI => $1$o9UzF.MI$32/a2Jf/ExrQJoNFCshVl1
> 
>     [...]
> 
>>crypt() doesn't seem to be doing what it should be.
> 
> 
> OK. What seems to be going on here is that your machine
> uses crypt-MD5 passwords (the user_passwd hash is long and
> starts `$1$...'. Now, what's supposed to happen here is
> that the C library detects which sort of password is in
> use by the first few characters ($1$ is special), and
> computes the hash accordingly. But what you've actually
> got is crypt(3) returning a traditional DES password using
> $1 as the salt.
> 
> Can you try the following program:
> 
>     #define _XOPEN_SOURCE
>     #include <unistd.h>
>     #include <stdio.h>
> 
>     int main(int argc, char **argv) {
>         char **a;
>         for (a = argv + 1; *a; ++a)
>             printf("%s -> %s\n", *a, crypt(*a, "$1$o9UzF.MI$32/a2Jf/ExrQJoNFCshVl1"));
>         return 0;
>     }
> 
> -- you may need -lcrypt to compile it. Give it some
> passwords on the command line and tell me the results.
> 
> 
> 
> Oh, one thing -- what do the other passwords in
> /etc/shadow look like? You didn't just copy the entry for
> user test over from the other machine?
>