RE: md5 hashing on passwords?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thank you for the patch, Steve.  I'm going to get it compiled and
tested with Andrew's constraints, however...

I'm trying to "make" in the pam-0.72 directory on my RedHat 6.2
system and I'm getting errors.  Basically we copied the source
tar file, pam-0.72-6.src.rpm, from the CD, untarred and tried to
make.  We're getting the following errors, any help would be great.

Thanks, Kelli

make[2]: Entering directory `/usr/local/src/pam-0.72/modules/pam_access'
mkdir -p ./dynamic
make[2]: Leaving directory `/usr/local/src/pam-0.72/modules/pam_access'
make[2]: glib-config: Command not found
make[2]: Entering directory `/usr/local/src/pam-0.72/modules/pam_console'
make[2]: glib-config: Command not found
mkdir -p ./dynamic
make[2]: glib-config: Command not found
make[2]: glib-config: Command not found
gcc  -DPAM_READ_BOTH_CONFS -D_GNU_SOURCE -DLINUX_PAM  -Wall -Wpointer-arith 
-Wcast-qual -Wcast-align -Wtraditional -Wstrict-prototypes -Wmissing-prototy
pes -Wnested-externs -Winline -Wshadow -fPIC -Dlinux -DPAM_DYNAMIC   -c
pam_console.c -o dynamic/pam_console.o
make[2]: glib-config: Command not found
pam_console.c:23: warning: `/*' within comment
pam_console.c:27: glib.h: No such file or directory
In file included from pam_console.c:39:
pam_console.h:7: glib.h: No such file or directory
In file included from pam_console.c:475:
chmod.c:35: glib.h: No such file or directory
In file included from chmod.c:37,
                 from pam_console.c:475:
chmod.h:1: glib.h: No such file or directory
In file included from pam_console.c:477:
config.l:12: glib.h: No such file or directory
In file included from pam_console.c:478:
config.y:9: glib.h: No such file or directory
make[2]: *** [dynamic/pam_console.o] Error 1
make[2]: Leaving directory `/usr/local/src/pam-0.72/modules/pam_console'
make[1]: *** [all] Error 1
make[1]: Leaving directory `/usr/local/src/pam-0.72/modules'



-----Original Message-----
From: pam-list-admin@redhat.com [mailto:pam-list-admin@redhat.com]On
Behalf Of Steve Langasek
Sent: Monday, September 18, 2000 5:38 PM
To: pam-list@redhat.com
Subject: Re: md5 hashing on passwords?


On Mon, 18 Sep 2000, Kelli Wolfe wrote:

> I'm beginning to suspect that my RedHat 6.2 installation
> isn't really supporting MD5 hashing on the passwords, even
> though I specified MD5 at install as well as on the
> password lines of the PAM files.  Is there a way to
> verify this theory?

RedHat supports MD5 passwords natively through glibc.  However...

> If I try to change my password to something greater than
> 18 chars in length, I get the message "BAD PASSWORD: is
> too similiar to the old one".  Bad spelling aside, this
> seems to be a bogus message because the new password is
> totally different.  If I enter it with 18 or less chars,
> the password is accepted.

I had a look at the pam_cracklib source, and the logic in the function
similiar() looks quite screwy to me: if you have a 5-character password, and
you try to change it to a 40-character password, the passwords will be
declared "too similar" if 3 of the letters from the old password show up in
the new password?

I'm attaching a patch which makes pam_cracklib nicer to people who are
making
their new passwords longer.  This may or may not be the Right Thing, but it
seems better than the status quo.  Andrew, how do you feel about this
change?

For those who don't feel like patching PAM on their systems, there's also
the
option of adding a 'difok=' option to the pam config, which specifies the
minimum number of characters that must be different between old and new
passwords.  So for example,

password	required	/lib/security/pam_cracklib.so difok=5

specifies that if at least 5 of the characters in the old password do NOT
appear in the new password, it will be accepted.

> My shadow file has a password entry like this:
> 	:$1$s6cSJvNT$PSJJzm/IaL/LnbJJr0qc..:
> Which if I'm understanding correctly, is supposed to be
> MD5 because of the $1$ in the salt portion...?  What I'm
> trying to do is put MD5 passwords in my LDAP directory,
> but I can't find a true MD5 password.

These are MD5 passwords, yes.  IIRC, LDAP doesn't use the same format for
md5
passwords as that used in /etc/shadow.  It seems to me that this is more of
an
LDAP question than a PAM question, though.

Steve Langasek
postmodern programmer





[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux