From owner-freebsd-security Thu Aug 2 14:37: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from 66-17-48-31.bkfd.arrival.net (66-17-48-31.snlo.arrival.net [66.17.48.31]) by hub.freebsd.org (Postfix) with SMTP id ACE5037B405 for ; Thu, 2 Aug 2001 14:37:04 -0700 (PDT) (envelope-from bsd@info-logix.com) Received: (qmail 1237 invoked from network); 2 Aug 2001 21:36:52 -0000 Received: from unknown (HELO falcon) (192.168.1.76) by 0 with SMTP; 2 Aug 2001 21:36:52 -0000 From: "Hank Wethington" To: "Kris Kennaway" Cc: , Subject: RE: OpenSSL patch applied and now locked out of machine. Date: Thu, 2 Aug 2001 14:34:58 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 In-Reply-To: <20010730183039.A65218@xor.obsecurity.org> Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I wanted to follow up on the solution and problem I encountered for anyone else following the thread. First I want to say that this is the reason to have a test box... Please always use on a test box before performing on a production server. This will save many headaches. Since I applied the patch then compiled in the wrong directory I changed the way BSD handled the DES passwords, as Kris pointed out. After driving the 3 hours to get to the box, I found I could log in locally as root, but not as the admin user I have set up. I thought this weird, anyone care to explain? This was good as I don't have a floppy or cd installed and single user log in is locked out. After getting into the machine, I redownloaded the crypto libs and a few other lib files from /stand/sysinstall. rebooted the machine and viola, it all worked. People started getting mail again and my logins worked again. I reapplied the patch (correctly this time) and all was well. So with that said, the machine is working again, but I am curious why I could log in locally as root after the crypto change. Is the local login different than the SSH login? Thanks for everyone's help. Hank Wethington ================================================ Information Logistics www.GoInfoLogistics.com mailto:info.at.GoInfoLogistics.com ================================================ -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Kris Kennaway Sent: Monday, July 30, 2001 6:31 PM To: Hank Wethington Cc: Kris Kennaway; security-officer@freebsd.org; security@FreeBSD.org Subject: Re: OpenSSL patch applied and now locked out of machine. On Mon, Jul 30, 2001 at 06:25:07PM -0700, Hank Wethington wrote: > As I can't see the error OpenSSH is giving (at least until I get to the > machine tonight), I can only say I'm getting a invalid password response > from my attempts to SSH into the machine. Also, vpopmail gives an invalid > password response as well. I will hopefully post more after I've seen the > machine. > > To give a tad more info, the initial release of the update stated that the > directory was /usr/src/lib/libcrypto/ however the true directory was > /usr/src/secure/lib/libcrypto/ > > As is the case with another user, I initially did the make depend && make > all install in the /usr/src/lib/libcrypt/ dir. Since the other user is > having a similar issue, perhaps they are related. I won't be to the machine > until 10p PDT, so I won't have any more info. Aha..if you did this, you installed a libcrypt which can't handle DES passwords. The DES-capable library (under 4.3 and earlier, this has been changed in 4.3-STABLE) is under secure/lib/libcrypt. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message