On Tue, May 28, Andrew Morgan wrote: > I'm not confident about accepting this (pam_unix) bug report and patch: > > http://sourceforge.net/tracker/index.php?func=detail&aid=521314&group_id=6663&atid=106663 > > Unfortunately, the originator didn't provide contact information, so I'm > unable to follow up directly with him. > > Basically, I can't confirm what is wrong with the code without the > patch. The str[n]cmp seems to force the comparison to be abreviated > string if the salt is smaller than the encrypted password (NUL > termination is not the issue since everything appears to be NUL > terminated). > > Is this a legacy issue? (Something like bigcrypt thinks you want a > bigcrypted password if you type a long password in - even when the > stored encrypted password was truncated before encryption - that is the > storage process didn't use bigcrypt?) > > I'd be happy if someone could comment/confirm that this is indeed a > correct patch. I don't think that this patch is correct. I can imagine only about two problems: he uses HP-UX password aging, where extra stuff is appended to the password field. But the correct solution would be to remove this extra data (it is seperated with a ","), not to truncate the. The second one is, that he mix bigcrypt and DES passwords. He has a des password in the passwd file and use bigcrypt to compare it with a longer one. But in every case, this patch is wrong. Extra informations have to be removed before and in the second case he should fix his configuration. Thorsten -- Thorsten Kukuk http://www.suse.de/~kukuk/ kukuk@suse.de SuSE Linux AG Deutschherrnstr. 15-19 D-90429 Nuernberg -------------------------------------------------------------------- Key fingerprint = A368 676B 5E1B 3E46 CFCE 2D97 F8FD 4E23 56C6 FB4B
