Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 31 Oct 2001 04:24:18 +0100 (CET)
From:      Palle Girgensohn <girgen@partitur.se>
To:        freebsd-stable@freebsd.org
Cc:        dd@freebsd.org
Subject:   mixed crypt_formats fails on 4.4
Message-ID:  <200110310324.f9V3OIi09397@elbas.partitur.se>
next in thread | raw e-mail | index | archive | help 

Hi!

I have an apache passwd db-file where I have traditionally used md5
encrypted passwords (by symlink in /usr/lib/libcrypt.so ->
libscrypt.so). After upgrading the system to 4.4-release, I did not
immediately notice the /etc/auth.conf file, and so the default was
reset to DES for a while. Two weeks later, I realized my mistake and
set the crypt_default property in auth.conf to md5. About 300, about
2% of the users, got their passwords in DES after this time (users can
change and create accounts using different methods, servlets, cgi
progs, command line...)

After that, I have got complaints that some people can't login. Of
course, these people all have DES encrypted passwords.

I did some research, and here is what I found out:

in 4.4, libcrypt.so can properly authenticate users with des or md5
encrypted passwords using crypt-des.c, (i.e. crypt_format=des), but
not when crypt_format is md5.

in <= 4.3, I used libscrypt (combined with NODESCRYPTLINKS=true in
make.conf, and symlinks from libcrypt* -> libscrypt* in /usr/lib). The
effect was md5 as default crypt format, and the possibilty to verify
both des and md5.

Better put:

   verifies passwords in   < 4.4          4.4
                        \
crypt_default:   des      des             des&md5

                 md5      des&md5         md5


in short, I need to set /etc/auth.conf to des in order to verify both
des & md5, where I previously had the opposite effect. Is there anyway
I can force the 4.3 behaviour cleanly. Is it supposed to work like
this? I will have to modify all our applications setting passwords to
use set_crypt_format("md5") instead of using the fine auth.conf... :(

Thanks for any input!

/Palle

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200110310324.f9V3OIi09397>