On Mon, 18 Sep 2000, Kelli Wolfe wrote:
> I'm beginning to suspect that my RedHat 6.2 installation
> isn't really supporting MD5 hashing on the passwords, even
> though I specified MD5 at install as well as on the
> password lines of the PAM files. Is there a way to
> verify this theory?
RedHat supports MD5 passwords natively through glibc. However...
> If I try to change my password to something greater than
> 18 chars in length, I get the message "BAD PASSWORD: is
> too similiar to the old one". Bad spelling aside, this
> seems to be a bogus message because the new password is
> totally different. If I enter it with 18 or less chars,
> the password is accepted.
I had a look at the pam_cracklib source, and the logic in the function
similiar() looks quite screwy to me: if you have a 5-character password, and
you try to change it to a 40-character password, the passwords will be
declared "too similar" if 3 of the letters from the old password show up in
the new password?
I'm attaching a patch which makes pam_cracklib nicer to people who are making
their new passwords longer. This may or may not be the Right Thing, but it
seems better than the status quo. Andrew, how do you feel about this change?
For those who don't feel like patching PAM on their systems, there's also the
option of adding a 'difok=' option to the pam config, which specifies the
minimum number of characters that must be different between old and new
passwords. So for example,
password required /lib/security/pam_cracklib.so difok=5
specifies that if at least 5 of the characters in the old password do NOT
appear in the new password, it will be accepted.
> My shadow file has a password entry like this:
> :$1$s6cSJvNT$PSJJzm/IaL/LnbJJr0qc..:
> Which if I'm understanding correctly, is supposed to be
> MD5 because of the $1$ in the salt portion...? What I'm
> trying to do is put MD5 passwords in my LDAP directory,
> but I can't find a true MD5 password.
These are MD5 passwords, yes. IIRC, LDAP doesn't use the same format for md5
passwords as that used in /etc/shadow. It seems to me that this is more of an
LDAP question than a PAM question, though.
Steve Langasek
postmodern programmer
Index: pam_cracklib.c
===================================================================
RCS file: /cvsroot/pam/Linux-PAM/modules/pam_cracklib/pam_cracklib.c,v
retrieving revision 1.1.1.1
diff -u -w -r1.1.1.1 pam_cracklib.c
--- pam_cracklib.c 2000/06/20 22:11:32 1.1.1.1
+++ pam_cracklib.c 2000/09/18 22:33:05
@@ -232,7 +232,7 @@
* is longer than 20 bytes (MD5)
*/
-static int similiar(struct cracklib_options *opt, const char *old, const char *new)
+static int similar(struct cracklib_options *opt, const char *old, const char *new)
{
int i, j;
@@ -240,6 +240,9 @@
if (strchr (new, old[i]))
j++;
+ if (strlen(new) > strlen(old))
+ i += (strlen(new) - strlen(old));
+
if (j >= opt->diff_ok || i >= j * 2)
return 0;
@@ -332,8 +335,8 @@
if (!msg && strcmp(oldmono, newmono) == 0)
msg = "case changes only";
- if (!msg && similiar(opt, oldmono, newmono))
- msg = "is too similiar to the old one";
+ if (!msg && similar(opt, oldmono, newmono))
+ msg = "is too similar to the old one";
if (!msg && simple(opt, old, new))
msg = "is too simple";
