From owner-freebsd-security Fri Oct 12 17:42: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from hermes.pressenter.com (hermes.pressenter.com [209.224.20.19]) by hub.freebsd.org (Postfix) with ESMTP id D533837B401 for ; Fri, 12 Oct 2001 17:41:58 -0700 (PDT) Received: from [209.224.22.136] (helo=daggar) by hermes.pressenter.com with smtp (Exim 3.16 #1) id 15sCs6-0002b0-00 for freebsd-security@FreeBSD.ORG; Fri, 12 Oct 2001 19:41:47 -0500 From: "Stephen Hilton" To: "FreeBSD Security" Subject: RE: FreeBSD 4.4 and DES Date: Fri, 12 Oct 2001 19:42:12 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <6B3C6B6F7AA2D511A35E0080C86993435962@syncro.metrics.com> X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Has anyone successfully got DES working with FreeBSD 4.4? I need this to > get FrontPage 2002 server extensions running ... > > I managed to get through the FrontPage install process -- the 2002 > extensions explicitly support FreeBSD, and I now get a few steps into the > FrontPage-to-Apache connection. But I fail in the authentication process. > > I think this is because FrontPage uses DES, while FreeBSD 4.4 defaults to > MD5. Or at least that's what my net.research tells me. I tried to install the apache13-fp port today on FreeBSD snapshot 4.4-20011010 and had to also make some changes to the ports Makefile to get it to compile. This is for FrontPage 2000 support, not FrontPage 2002, YMMV Changed this in the Makefile: .if ${OSVERSION} < 500016 pre-extract: @if ! ${LDCONFIG} -r | ${GREP} -q -e "-ldescrypt"; then \ ${ECHO} ; \ ${ECHO} "WARNING: MS FrontPage Extentions require the DES Library" To: .if ${OSVERSION} < 500016 pre-extract: @if ! ${LDCONFIG} -r | ${GREP} -q -e "-lcrypt"; then \ ${ECHO} ; \ ${ECHO} "WARNING: MS FrontPage Extentions require the DES Library" Changed the "-ldescrypt" to "-lcrypt" Then edited my /etc/login.conf and uncommented the last example for "des_users" to activate it, then ran the "cap_mkdb /etc/login.conf" command. Then I took my FrontPage user who was already added with the default md5 style password and added the login class to their passwd file entry with vipw. Example: From: webborg:$2$Ogfr3HH/$ou812YtzNcnKRnIrtU0G3/:1100:1100::0:0:FP-2000 user:/home/webborg :/sbin/nologin To: webborg:$2$Ogfr3HH/$ou812YtzNcnKRnIrtU0G3/:1100:1100:des_user:0:0:FP-2000 user:/home/webborg:/sbin/nologin Now I logged in as webborg and changed my password with "passwd", this then gave this user a DES based password, and connection with FrontPage went fine from a W2k PC. From other reading it appears that the FP extensions to Apache add a number of security problems, and should be thoroughly researched and vulnerability tested before deploying. In my case the web server is in a small secure intranet only. Hope this may help. Regards, Stephen Hilton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message