From owner-freebsd-ports-bugs@FreeBSD.ORG Wed Mar 17 06:10:04 2010 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4C6BD1065687 for ; Wed, 17 Mar 2010 06:10:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 1F9BC8FC20 for ; Wed, 17 Mar 2010 06:10:04 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o2H6A3t4083745 for ; Wed, 17 Mar 2010 06:10:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o2H6A32B083743; Wed, 17 Mar 2010 06:10:03 GMT (envelope-from gnats) Date: Wed, 17 Mar 2010 06:10:03 GMT Message-Id: <201003170610.o2H6A32B083743@freefall.freebsd.org> To: freebsd-ports-bugs@FreeBSD.org From: "Mikhail T." Cc: Subject: Re: ports/144247: security/pam_pwdfile: in openpam_load_module(): no /usr/local/lib/pam_pwdfile.so found X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "Mikhail T." List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Mar 2010 06:10:04 -0000 The following reply was made to PR ports/144247; it has been noted by GNATS. From: "Mikhail T." To: Michael Schout Cc: bug-followup@FreeBSD.org, vinzstyle@free.fr Subject: Re: ports/144247: security/pam_pwdfile: in openpam_load_module(): no /usr/local/lib/pam_pwdfile.so found Date: Wed, 17 Mar 2010 01:37:24 -0400 This is a multi-part message in MIME format. --------------050700090802020506010109 Content-Type: multipart/alternative; boundary="------------060907010903060804060708" --------------060907010903060804060708 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit On 16.03.2010 21:47, Michael Schout wrote: > pam_pwdfile 0.99 was completely broken. > > Seehttp://www.freebsd.org/cgi/query-pr.cgi?pr=ports/138483 > > It was fixed in 0.99_1 > Ok, cool. So the 144247 can be closed now? That said, I'm not sure about Linux, but on FreeBSD crypt(3) implements several algorithms by itself -- including the original (DES), and md5. If you have a working installation using this pam-module, would you care to test the attached changes? The patch-bsd-crypt just needs to be dropped into files/. The Makefile.bsd replaces the one currently there... This would reduce the size of the module while and expanding the set of algorithms... Thanks! Yours, -mi --------------060907010903060804060708 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit On 16.03.2010 21:47, Michael Schout wrote:

pam_pwdfile 0.99 was completely broken.
 
 See http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/138483
 
 It was fixed in 0.99_1

Ok, cool. So the 144247 can be closed now?

That said, I'm not sure about Linux, but on FreeBSD crypt(3) implements several algorithms by itself -- including the original (DES), and md5.

If you have a working installation using this pam-module, would you care to test the attached changes? The patch-bsd-crypt just needs to be dropped into files/. The Makefile.bsd replaces the one currently there... This would reduce the size of the module while and expanding the set of algorithms...

Thanks! Yours,

-mi

--------------060907010903060804060708-- --------------050700090802020506010109 Content-Type: text/plain; name="Makefile.bsd" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="Makefile.bsd" # inspired from pam-pgsql port :-) SRCS= pam_pwdfile.c \ bigcrypt.c \ md5.c \ md5_crypt.c SHLIB_NAME= pam_pwdfile.so LDADD= -lpam -lcrypt CFLAGS+= -Wall -D_BSD_SOURCE CFLAGS+= -D'MD5Name(x)=Broken\#\#x' LIBDIR= ${LOCALBASE}/lib .include --------------050700090802020506010109 Content-Type: text/plain; name="patch-bsd-crypt" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="patch-bsd-crypt" --- pam_pwdfile.c 2003-12-20 14:21:19.000000000 -0500 +++ pam_pwdfile.c 2010-03-17 00:49:38.000000000 -0400 @@ -42,7 +42,7 @@ * OF THE POSSIBILITY OF SUCH DAMAGE. */ -#include + #include #include #include @@ -234,6 +234,13 @@ int use_flock = 0; int use_delay = 1; int temp_result = 0; + int i; + const char * const crypt_methods[] = { + "des", + "md5", + "blf", /* Blowfish */ + "nth" /* Windows NT-hash scheme */ + }; /* we require the pwdfile switch and argument to be present, else we don't work */ /* pcnt is the parameter counter variable for iterating through argv */ @@ -340,6 +347,7 @@ fclose(pwdfile); return PAM_AUTHINFO_UNAVAIL; } + fclose(pwdfile); /* DEBUG */ D(_pam_log(LOG_ERR,"got crypted password == '%s'", stored_crypted_password)); @@ -344,50 +352,56 @@ /* DEBUG */ D(_pam_log(LOG_ERR,"got crypted password == '%s'", stored_crypted_password)); - temp_result = 0; - /* Extract the salt and set the passwd length, depending on MD5 or DES */ - if (strncmp(stored_crypted_password, "$1$", 3) == 0) { - D(_pam_log(LOG_ERR,"password hash type is 'md5'")); - /* get out the salt into "salt" */ - strncpy(salt, stored_crypted_password, 11); - salt[11] = '\0'; - stored_crypted_password[CRYPTED_MD5PWD_LEN] = '\0'; - /* try both md5 crypts */ - crypted_password = Goodcrypt_md5(password, salt); - if (strcmp(crypted_password, stored_crypted_password) == 0) - { + /* + * First go through the methods supported by crypt(3) + */ + for (i = 0; i < sizeof(crypt_methods)/sizeof(*crypt_methods); i++) { + if (!crypt_set_format(crypt_methods[i])) { + D(_pam_log(LOG_ERR, "Method '%s' unknown to crypt-implementation", + crypt_methods[i])); + continue; + } + crypted_password = crypt(password, stored_crypted_password); + if (strcmp(stored_crypted_password, + crypted_password) == 0) { temp_result = 1; + D(_pam_log(LOG_ERR, "password hash type is '%s'", + crypt_methods[i])); + goto solved; } - else - { + } + + /* + * Check other odd methods, not currently supported by + * BSD's crypt(3), but only if something hints at their + * use. + */ + if (strncmp("$1$", stored_crypted_password, 3) == 0) { crypted_password = Brokencrypt_md5(password, salt); - if (strcmp(crypted_password, stored_crypted_password) == 0) - { + if (strcmp(crypted_password, stored_crypted_password) == 0) { + D(_pam_log(LOG_ERR, "password hash type is '%s'", + "brokenmd5")); temp_result = 1; + goto solved; } - } - } else { + } else if (strlen(stored_crypted_password) > CRYPTED_DESPWD_LEN) { /* get the salt out into "salt" */ strncpy(salt, stored_crypted_password, 2); salt[2] = '\0'; stored_crypted_password[CRYPTED_BCPWD_LEN] = '\0'; - if (strlen(stored_crypted_password) <= CRYPTED_DESPWD_LEN) { - D(_pam_log(LOG_ERR,"password hash type is 'crypt'")); - crypted_password = crypt(password, salt); - } else { - D(_pam_log(LOG_ERR,"password hash type is 'bigcrypt'")); - crypted_password = bigcrypt(password, salt); - } + crypted_password = bigcrypt(password, salt); if (strcmp(crypted_password, stored_crypted_password) == 0) { + D(_pam_log(LOG_ERR,"password hash type is 'bigcrypt'")); temp_result = 1; } } +solved: /* DEBUG */ D(_pam_log(LOG_ERR,"user password crypted is '%s'", crypted_password)); @@ -395,7 +409,6 @@ if (!temp_result) { _pam_log(LOG_ERR,"wrong password for user %s",name); - fclose(pwdfile); return PAM_AUTH_ERR; } @@ -403,7 +416,6 @@ D(_pam_log(LOG_ERR,"passwords match")); /* we've gotten here, i.e. authentication was sucessful! */ - fclose(pwdfile); return PAM_SUCCESS; } --------------050700090802020506010109--