bug-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pserver login fails on 9 char passwords


From: Mark D. Baushke
Subject: Re: pserver login fails on 9 char passwords
Date: Mon, 29 Mar 2004 00:29:34 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mäkeläinen Juha <address@hidden> writes:

> Resending a lost bug report:
> 
> -----Original-----
> Sender: Mäkeläinen Juha 
> Sent: 15 Jan 2004 14:04
> Reciever: 'address@hidden'
> Subject: pserver login fails on 9 char passwords
> 
> 
> This problem was found when using cvs-1.11.11 server on HP-UX and
> wincvs client.
> 
> If user password is 9 chars long, the crypted password from client is
> 13 characters but password got from HP-UX secure password system is 24
> characters. The server.c module can not handle that.

The HP/UX passwords have been problems in the past. There was a hack
that stuck a NUL byte at the first comma in the found_passwd because of
extra glop that the HP/UX system added.

Your patch makes me uncomfortable because it may be possible tye choose
a password that is encrypted with the same salt as the found_passwd and
happens to encode to a substring of the real found_passwd without being
a valid password on the system.

I would rather understand what HP/UX is doing to the found_password such
that it is so much longer than the crypted password.

BTW: The patch you sent was somewhat corrupt in that the '== 0)' of the
previous if expression was on the same line as a C preprocessor '#else'
statement.

        Thanks,
        -- Mark

> Login fails and wincvs client says:
> 
> cvs -d :pserver:address@hidden:/cvs/fdits login 
> Logging in to :pserver:address@hidden:2401:/cvs/fdits
> cvs [login aborted]: authorization failed: server our-host.fi rejected access 
> to /cvs/fdits for user u123456
> 
> Server (HP-UX B.11.11 U 9000/800) syslog.log message:
> 
> Jan 13 09:54:54 our-host syslog: login failure (for /cvs/fdits) Jan 13 
> 09:56:16 our-host syslog: password mismatch for u543251: F0sPYT3vo0Gmc vs. 
> F0sPYT3vo0GmcT.Z51tttO6Q
> 
> 
> I have used pre-compiled versions like cvs-1.11.8 and also compiled my own 
> cvs-1.11.11 using these options:
> 
> CFLAGS="-g +DAportable -DLOG_AUTHPRIV" ./configure \
>               --without-gssapi --enable-server-flow-control
> 
> (In this system HAVE_GETSPNAM is defined.)
> 
> 
> This is my temprary workaround to cvs-1.11.11, which seems to work:
> 
> $ LC_ALL=C diff -c server.c.orig server.c                                     
>         
> *** server.c.orig       Thu Dec 18 19:59:46 2003
> --- server.c    Wed Jan 14 15:42:50 2004
> ***************
> *** 5508,5514 ****
> --- 5508,5526 ----
>       if (*found_passwd)
>       {
>         /* user exists and has a password */
> + #ifdef FD_JM_20040114
> +       /* In HP-UX B.11.11 found_passwd is occasionally longer
> +        * than crypted passwd here (24 compared to 13 bytes).
> +        * This happened when the user password length is 9 characters.
> +        * FIXME - Our workaround is based on my belief that crypted
> +        * password is never very short. Is it true?
> +        * Now we compare only by the common part of both strings.
> +        */
> +       char *crypt_passwd = crypt (password, found_passwd);
> +       if (strncmp (found_passwd, crypt_passwd, strlen (crypt_passwd))
> + == 0) #else
>         if (strcmp (found_passwd, crypt (password, found_passwd)) == 0)
> + #endif
>         {
>             host_user = xstrdup (username);
>         }
> 
> 
> --
>         Juha Mäkeläinen / Systems Specialist
>     FD Finanssidata Oy / P.O. Box 308 / FIN-00101 Helsinki
>        address@hidden
>   t. +358-9-404 3075 / +358-40 715 5151 / fax +358-9-404 3007

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)

iD8DBQFAZ95u3x41pRYZE/gRAsHDAJ4/XMEiMDo4Dviz6CS9tKyxNbvkjACfa6Ds
O9Ydbe8zvF2+T/bzOK0kHLM=
=4XS5
-----END PGP SIGNATURE-----




reply via email to

[Prev in Thread] Current Thread [Next in Thread]