Date: Thu, 2 Aug 2001 14:34:58 -0700 From: "Hank Wethington" <bsd@info-logix.com> To: "Kris Kennaway" <kris@obsecurity.org> Cc: <security-officer@freebsd.org>, <security@FreeBSD.org> Subject: RE: OpenSSL patch applied and now locked out of machine. Message-ID: <KFEIIDCJNHBCGLAFNMJIAELBFBAA.bsd@info-logix.com> In-Reply-To: <20010730183039.A65218@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
I wanted to follow up on the solution and problem I encountered for anyone else following the thread. First I want to say that this is the reason to have a test box... Please always use on a test box before performing on a production server. This will save many headaches. Since I applied the patch then compiled in the wrong directory I changed the way BSD handled the DES passwords, as Kris pointed out. After driving the 3 hours to get to the box, I found I could log in locally as root, but not as the admin user I have set up. I thought this weird, anyone care to explain? This was good as I don't have a floppy or cd installed and single user log in is locked out. After getting into the machine, I redownloaded the crypto libs and a few other lib files from /stand/sysinstall. rebooted the machine and viola, it all worked. People started getting mail again and my logins worked again. I reapplied the patch (correctly this time) and all was well. So with that said, the machine is working again, but I am curious why I could log in locally as root after the crypto change. Is the local login different than the SSH login? Thanks for everyone's help. Hank Wethington ================================================ Information Logistics www.GoInfoLogistics.com mailto:info.at.GoInfoLogistics.com ================================================ -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Kris Kennaway Sent: Monday, July 30, 2001 6:31 PM To: Hank Wethington Cc: Kris Kennaway; security-officer@freebsd.org; security@FreeBSD.org Subject: Re: OpenSSL patch applied and now locked out of machine. On Mon, Jul 30, 2001 at 06:25:07PM -0700, Hank Wethington wrote: > As I can't see the error OpenSSH is giving (at least until I get to the > machine tonight), I can only say I'm getting a invalid password response > from my attempts to SSH into the machine. Also, vpopmail gives an invalid > password response as well. I will hopefully post more after I've seen the > machine. > > To give a tad more info, the initial release of the update stated that the > directory was /usr/src/lib/libcrypto/ however the true directory was > /usr/src/secure/lib/libcrypto/ > > As is the case with another user, I initially did the make depend && make > all install in the /usr/src/lib/libcrypt/ dir. Since the other user is > having a similar issue, perhaps they are related. I won't be to the machine > until 10p PDT, so I won't have any more info. Aha..if you did this, you installed a libcrypt which can't handle DES passwords. The DES-capable library (under 4.3 and earlier, this has been changed in 4.3-STABLE) is under secure/lib/libcrypt. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?KFEIIDCJNHBCGLAFNMJIAELBFBAA.bsd>