[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Fwd: crypt MD5 passwords: invalid credentials



At 03:49 PM 3/8/01 -0800, Wil Cooley wrote:
>Thus spake Wil Cooley:
>
>> Users with simple crypt passwords ('{crypt}crypthash') can login
>> fine to workstations, as can users with {md5} and {SSHA} passwords.
>> However, users in crypt MD5 passwords ('{crypt}$1$md5hash') cannot;
>> their connections fail with 'Invalid credentials'.  The PAM config files
>> in /etc/pam.d have 'md5' in the pam_unix lines on the workstation,
>> and the closed LDAP servers also have md5 in their pam_pwdb lines.
>> I'm assuming that somehow the lack of a local login is causing the
>> users to be rejects?  Even though slapd is linked with libpam, I
>> can't actually figure out which pam service it identifies itself as,
>> running lsof and strace revealed nothing.
>
>Okay, I think I've figured out what's happening, but not a good
>solution--it involves
>
>        a) Re-linking OpenLDAP and changing the link order so the glibc
>        system crypt() is linked before the OpenSSL crypt.  (Will this
>        work reliably?)
>
>        b) Rebuilding OpenSSL to exclude it's crypt, with a patch probably
>        attainable from Howard Chu <hyc@highlandsun.com>.
>
>        c) Having my users change their passwords to use RFC2307-style
>        passwords.
>
>At this point, /c/ sounds like the easiest, unless someone can present
>me with a patch to do /a/ or assure that it will be reliable.
>
>For reference for other people facing this problem, this user in this
>message suffers the same problem:
>
>http://www.openldap.org/lists/openldap-software/200102/msg00558.html
>
>This user does too, but it wasn't as immediately obvious to me, although
>Kurt and Howard offered tenative solutions:
>
>http://www.openldap.org/lists/openldap-software/200101/msg00241.html
>
>I suspect more people will have this problem; I'm looking in the issue
>tracking database, and will open a ticket if I can't find one.

I believe there was an OpenLDAP ITS filed and closed.  It's
not really an OpenLDAP issue.  We just use the crypt(3) the
linker provides (based upon user provided configuration
information).  Other than avoiding {crypt} passwords (which
are not portable) as crypt(3) differs widely from system to
system, I suggest modifying OpenSSL not to provide crypt(3)
on systems which provide one themselves.

Kurt