[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Fwd: crypt MD5 passwords: invalid credentials



Thus spake Wil Cooley:

> Users with simple crypt passwords ('{crypt}crypthash') can login
> fine to workstations, as can users with {md5} and {SSHA} passwords.
> However, users in crypt MD5 passwords ('{crypt}$1$md5hash') cannot;
> their connections fail with 'Invalid credentials'.  The PAM config files
> in /etc/pam.d have 'md5' in the pam_unix lines on the workstation,
> and the closed LDAP servers also have md5 in their pam_pwdb lines.
> I'm assuming that somehow the lack of a local login is causing the
> users to be rejects?  Even though slapd is linked with libpam, I
> can't actually figure out which pam service it identifies itself as,
> running lsof and strace revealed nothing.

Okay, I think I've figured out what's happening, but not a good
solution--it involves

	a) Re-linking OpenLDAP and changing the link order so the glibc
	system crypt() is linked before the OpenSSL crypt.  (Will this
	work reliably?)

	b) Rebuilding OpenSSL to exclude it's crypt, with a patch probably
	attainable from Howard Chu <hyc@highlandsun.com>.

	c) Having my users change their passwords to use RFC2307-style
	passwords.

At this point, /c/ sounds like the easiest, unless someone can present
me with a patch to do /a/ or assure that it will be reliable.

For reference for other people facing this problem, this user in this
message suffers the same problem:

http://www.openldap.org/lists/openldap-software/200102/msg00558.html

This user does too, but it wasn't as immediately obvious to me, although
Kurt and Howard offered tenative solutions:

http://www.openldap.org/lists/openldap-software/200101/msg00241.html

I suspect more people will have this problem; I'm looking in the issue
tracking database, and will open a ticket if I can't find one.

Wil
-- 
W. Reilly Cooley                         wcooley@nakedape.cc
Naked Ape Consulting                      http://nakedape.cc
LNXS: Linux/GNU for servers, networks, and   http://lnxs.org
people who take care of them.  *Now with integrated crypto!*
irc.openprojects.net                                   #lnxs

Men have a much better time of it than women; for one thing they marry later;
for another thing they die earlier.
		-- H.L. Mencken

Attachment: pgptcePTIhEYp.pgp
Description: PGP signature