From owner-freebsd-bugs  Mon Aug 26 19:10:04 1996
Return-Path: owner-bugs
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id TAA07622
          for bugs-outgoing; Mon, 26 Aug 1996 19:10:04 -0700 (PDT)
Received: (from gnats@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id TAA07616;
          Mon, 26 Aug 1996 19:10:03 -0700 (PDT)
Date: Mon, 26 Aug 1996 19:10:03 -0700 (PDT)
Message-Id: <199608270210.TAA07616@freefall.freebsd.org>
To: freebsd-bugs
Cc: 
From: Marc Slemko <marcs@alive.ampr.ab.ca>
Subject: Re: ports/1520: sudo misses certain passwords
Reply-To: Marc Slemko <marcs@alive.ampr.ab.ca>
Sender: owner-bugs@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

The following reply was made to PR ports/1520; it has been noted by GNATS.

From: Marc Slemko <marcs@alive.ampr.ab.ca>
To: Julian Elischer <julian@whistle.com>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: ports/1520: sudo misses certain passwords
Date: Sun, 25 Aug 1996 23:24:44 -0600 (MDT)

 On Wed, 21 Aug 1996, Julian Elischer wrote:
 
 >  Andrew Stevenson wrote:
 
 >  > >Description:
 >  > 
 >  > If a user has one of a number of passwords and tries to use sudo sudo will not recognise their password. It continues as if you have got it wrong. Change the password and it works fine. The password works fine to log in with.
 >  > 
 >  > >How-To-Repeat:
 >  > 
 >  > One of the affected passwords is "martha:my". There are others but I can't rember them off hand...I will ask around our users if you need them.
 >  
 >  
 >  The standard password utility truncates th apassword at 8 chars
 >  sudo doesn't
 >  
 >  
 >  tell the user to only type  "martha:m" 
 >  or use a shorter passowrd..
 >  I patched it here, (it's trivial) but lost the patch exactly
 >  It's of the form
 >  
 >  passwd[8] = 0;  /* truncate password */
 
 I think they are more likely using MD5 passwords (either libscrypt or
 libdescrypt which calls libscript if it gets a MD5 password, ie. one
 starting with '$1$') which can be longer than 8 characters, but sudo
 links, by default, against it's own tgetpass routine instead of the
 standard getpass.  In sudo's tgetpass.c there is a define around line 70
 for the password length (_PASSWD_LEN) that defaults to 8 characters.  When
 a password is longer than this, it breaks.  The solution is to either use
 the standard getpass (which is easy to do, but isn't really desirable,
 because tgetpass has a timeout built in, which is the main reason for
 tgetpass to exist) or define _PASSWD_LEN to something more appropriate. 
 The trick is that they could also be using libdescrypt, which does
 truncate passwords at 8 characters, so simply increasing the define _may_
 break things for people using descrypt.
 
 Other workarounds such as the one suggested above can work, but aren't
 really correct. 
 
 -- 
 Marc Slemko                                  1:342/1003@fidonet 
 marcs@alive.ampr.ab.ca         marcs@alive.ersys.edmonton.ab.ca