Date: Mon, 26 Aug 1996 19:10:03 -0700 (PDT) From: Marc Slemko <marcs@alive.ampr.ab.ca> To: freebsd-bugs Subject: Re: ports/1520: sudo misses certain passwords Message-ID: <199608270210.TAA07616@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/1520; it has been noted by GNATS. From: Marc Slemko <marcs@alive.ampr.ab.ca> To: Julian Elischer <julian@whistle.com> Cc: freebsd-gnats-submit@freebsd.org Subject: Re: ports/1520: sudo misses certain passwords Date: Sun, 25 Aug 1996 23:24:44 -0600 (MDT) On Wed, 21 Aug 1996, Julian Elischer wrote: > Andrew Stevenson wrote: > > >Description: > > > > If a user has one of a number of passwords and tries to use sudo sudo will not recognise their password. It continues as if you have got it wrong. Change the password and it works fine. The password works fine to log in with. > > > > >How-To-Repeat: > > > > One of the affected passwords is "martha:my". There are others but I can't rember them off hand...I will ask around our users if you need them. > > > The standard password utility truncates th apassword at 8 chars > sudo doesn't > > > tell the user to only type "martha:m" > or use a shorter passowrd.. > I patched it here, (it's trivial) but lost the patch exactly > It's of the form > > passwd[8] = 0; /* truncate password */ I think they are more likely using MD5 passwords (either libscrypt or libdescrypt which calls libscript if it gets a MD5 password, ie. one starting with '$1$') which can be longer than 8 characters, but sudo links, by default, against it's own tgetpass routine instead of the standard getpass. In sudo's tgetpass.c there is a define around line 70 for the password length (_PASSWD_LEN) that defaults to 8 characters. When a password is longer than this, it breaks. The solution is to either use the standard getpass (which is easy to do, but isn't really desirable, because tgetpass has a timeout built in, which is the main reason for tgetpass to exist) or define _PASSWD_LEN to something more appropriate. The trick is that they could also be using libdescrypt, which does truncate passwords at 8 characters, so simply increasing the define _may_ break things for people using descrypt. Other workarounds such as the one suggested above can work, but aren't really correct. -- Marc Slemko 1:342/1003@fidonet marcs@alive.ampr.ab.ca marcs@alive.ersys.edmonton.ab.ca
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199608270210.TAA07616>