Date: Wed, 27 Jun 2001 10:54:54 +1000 (EST) From: Gregory Bond <gnb@itga.com.au> To: FreeBSD-gnats-submit@freebsd.org Cc: ksb@fedex.com, obrien@freebsd.org Subject: ports/28432: [patch] comms/conserver fails with MD5 passwords Message-ID: <200106270054.f5R0sso18175@hellcat.itga.com.au>
next in thread | raw e-mail | index | archive | help
>Number: 28432
>Category: ports
>Synopsis: [patch] comms/conserver fails with MD5 passwords
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Jun 26 18:00:13 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator: Gregory Bond
>Release: FreeBSD 4.3-STABLE i386
>Organization:
ITG Australia Limited
>Environment:
System: FreeBSD hellcat.itga.com.au 4.3-STABLE FreeBSD 4.3-STABLE #21: Mon Jun 18 13:41:36 EST 2001 toor@hellcat.itga.com.au:/usr/obj/usr/src/sys/Hellcat i386
>Description:
"What we have here is a failure to authenticate!"
The conserver port normally requres a password to allow users to
attach to a console. There is support in the original program for
MD5 checksums under FreeBSD (which the port naturally enables),
but this seems to have been written for older (2.2.x?) versions of
FreeBSD when MD5 passwords took special handling in the application for
dealing with MD5 $1$xxxxxx$ - style salts.
Since a bit after the 4.1 release (I think; perhaps it was after the
Great Crypto Upheaval of '00), MD5 passwords have been supported using the
native crypt() function with no special application handling either needed
or tolerated. So the current conserver port cannot authenticate against
MD5 passwords when run on modern FreeBSD systems.
>How-To-Repeat:
Install conserver on a system with MD5 passwords for root. Attempt to connect
using the console program in non-trusted mode. Note failure to authenticate.
>Fix:
Add the following patch to the ports framework. This patch disables the
special handling of MD5 passwords on 4.x or greater systems. This may break
early 4.0-ish systems but I don't know how to specify the version with
more granularity, nor exactly when this stuff changed!
[Port maintainer and conserver original author CC'd]
--- etc/conserver/group.c.dist Tue Jun 26 17:35:12 2001
+++ etc/conserver/group.c Wed Jun 27 10:16:42 2001
@@ -196,6 +196,14 @@
*
* $Id: group.c,v 8.6 2000/05/09 00:42:32 ksb Exp $
*/
+#if defined(FREEBSD) && __FreeBSD__ >= 4
+static int
+MD5CheckPass(pcPass, pcWord)
+ char *pcPass, *pcWord;
+{
+ return 0 == strcmp(pcPass, crypt(pcWord, pcPass));
+}
+#else
static int
MD5CheckPass(pcPass, pcWord)
char *pcPass, *pcWord;
@@ -222,6 +230,7 @@
/* Don't hesitate; authenticate! */
return 0 == strcmp(pcPass, crypt(pcWord, acSalt));
}
+#endif
int
CheckPass(pwd, pcEPass, pcWord)
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200106270054.f5R0sso18175>