md5 passwds not working (suse 7.3) (NOW FIXED)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

--=-=-=

[SIGH]  Sorry for the flurry but I thought this info should be added
here for the purpose of the archived.  I suspect what Olaf describes
in the attached message is the same problem I was having with my
compile of cups before I upgraded pam.

In short, it is a -lcrypt vs -lcrypto ordering issue in suse's 7.3 and
earlier pam rpms.

Therefore, adding:

        exdport LD_PRELOAD=/usr/lib/libcrypt.so

to the top of the /etc/init.d/cups file probably would have solved
things for me, rather than having to update pam....

-JimC


--=-=-=
Content-Type: message/rfc822
Content-Disposition: inline

List-Subscribe: <mailto:suse-security-subscribe@suse.com>
Date: Wed, 26 Jun 2002 13:36:33 +0200
From: Olaf Kirch <okir@suse.de>
To: suse-security@suse.com
Message-ID: <20020626133633.C19096@wotan.suse.de>
Content-Disposition: inline
User-Agent: Mutt/1.3.22.1i
Subject: [suse-security] OpenSSH and MD5 passwords
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii

I investigated this issue and found the problem...

Note that this has nothing to do with the "OpenSSH and PAM
is broken" issue; that is about password expiry and changing
your password as you try to log on.

The MD5 problem does not occur on all platforms; it only occurs
on 7.3 and earlier. It is caused by a symbol messup with libcrypt
bs OpenSSL's libcrypto. The pam_unix module calls crypt() to
hash the supplied password; normally this will call crypt()
from libcrypt.so (note missing o before dot :). This crypt
implementation understands Linux password extensions, such
as signaling MD5 passwords by prefixing the salt with $1$.

With the new OpenSSH, link order or whatever has changed,
causing it to pick up crypt() from libcrypto.so, which does
not understand these extensions.

As a quick workaround, edit /etc/init.d/sshd and add the following
line before sshd is started:

	export LD_PRELOAD=/usr/lib/libcrypt.so

This should cause the correct crypt function to be picked up.

Sorry for this confusion. We'll make sure to add tests using
md5 passwords to our test database.

Olaf
-- 
Olaf Kirch     |  Anyone who has had to work with X.509 has probably
okir@suse.de   |  experienced what can best be described as
---------------+  ISO water torture. -- Peter Gutmann

-- 
To unsubscribe, e-mail: suse-security-unsubscribe@suse.com
For additional commands, e-mail: suse-security-help@suse.com
Security-related bug reports go to security@suse.de, not here

--=-=-=--
[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux