[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Incompatable crypt? (ITS#970)



At 02:48 AM 1/19/01 +0000, brad@mrunix.net wrote:
>Unfortunately it turns out to be a bit more complicated than that.. the
>ufc-crypt library that is included with glibc on Slack-7.1 refuses to
>generate hashed passwords if you use a 2 character salt, and if you do,
>it just returns back a NULL.

What if you provide 8 characters of salt?  I made a change
to lutil/passwd.c based upon FreeBSD's passwd(1) code.  Haven't
a clue whether it will have any impact on other systems, just
curious.

>To solve it, a quick hack was made to the passwd.c file in the
>liblutil library, making it use the MD5 salt (actually, I've got
>it inside a #ifdef/endif pair), and putting -lcrypt in front of the
>-lcrypto declaration in config.status (just so I didn't have to hack
>the SSL code for now). 

Note that moving -lcrypt forward will not only mask the crypt(3)
routine found in OpenSSL, but any other routine contained in
both -lcrypt and OpenSSL libraries.  In particular, one must
be very careful in regards to various hash functions.

I also note you must be careful when using Kerberos and Cyrus
SASL as they provide various routines as well.

I use a version of Heimdal Kerberos hacked to use OpenSSL
instead of its own routines.  You can also build Cyrus SASL
to use OpenSSL.

Note that OpenLDAP uses MD5/SHA1 directly as well but provides
its own version of hash routines using symbols which shouldn't
clash.

>All is well with the world again and it now uses
>the same crypt function that the OS uses.  When I get some free time,
>I'll do a real test/fix for the UFC stuff and send in a diff.

That would be fine.  I'd suggest the fix not reorder libraries
(but rely on patches to OpenSSL... which should be submitted
to OpenSSL).