[users@httpd] Authentication on Solaris fails when password > 8 chars and using MD5 encoded passwords (or digest)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

I've looked through FAQ and bugdatabase but I could not find a reference to
the following problem

When adding a user to my AuthUserFile wtih a password > 8 chars that is MD5
hashed (-m option to htpasswd) on Solaris authentication to the webserver
will fail. This is caused by the fact that htpasswd (or htdigest) use
getpass() (in ap_getpass::ap_getpass.c) to have the user enter their
password. getpass on Solaris accepts passwordstringlengths up to 8 chars
(PASS_MAX) the rest is truncated.

During password verification the truncated string is matched against the
full password send by the client which will fail of course (With crypt this
is not a problem since crypt() will also use the first 8 chars only)

When replacing getpass() with getpassphrase() on Solaris (does the same but
with passwords up to 256 chars) all works fine but this is not a portable
solution I guess.
Another option would be truncating the password that the client had send to
8 chars before validating (but many people like longer passwords for their
better strength)

Any thoughts for a portable fix?

THNX

Marcel
---------------------------------------------------------------------------
This message (including any attachments) is confidential and may be
privileged. If you have received it by mistake please notify the sender by
return e-mail and delete this message from your system. Any unauthorised
use or dissemination of this message in whole or in part is strictly
prohibited. Please note that e-mails are susceptible to change.
ABN AMRO Bank N.V. (including its group companies) shall not be liable for
the improper or incomplete transmission of the information contained in
this communication nor for any delay in its receipt or damage to your
system. ABN AMRO Bank N.V. (or its group companies) does not guarantee that
the integrity of this communication has been maintained nor that this
communication is free of viruses, interceptions or interference.
---------------------------------------------------------------------------


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux