[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: MD5 unix passwords problems



My suggestion is to just hack OpenSSL not to provide a
crypt(3) replacement.

At 03:18 PM 2/2/01 +0100, ludo wrote:
>Hi !
>
>I migrated my /etc/passwd md5 password file to ldap, to authenticate users with pam_ldap and nss_ldap. I'm running PCs under Linux redhat 6.2 and mandrake 7.1.
>It worked fine until I wanted to update users passwords with the 'passwd' command.
>Indeed I was unable to modify the ldap entry because it did not understand '$1$salt$sdsdcsdc' md5 style unix passwords.
>It seems that openldap uses the std 'crypt()' function (which supports md5 and des), but if you compile openldap with openssl, then crypt() is taken from libcrypto.so and the latter only supports DES passwords.
>
>So, here is my ugly patch: replace crypt() by fcrypt() in libraries/liblutil/passwd.c in order to be sure to use the glibc crypt. Maybe, we could put some '#if#else' statements that would enable the hack when compiled with openssl ??
>
>regards,
>
>  Ludovic Drolez.
>
>--- passwd.c.orig       Wed Jan 31 16:20:03 2001
>+++ passwd.c    Fri Feb  2 10:55:22 2001
>@@ -828,7 +828,7 @@
>              return -1;      /* passwd must behave like a string */
>      }
>
>-       cr = crypt( cred->bv_val, passwd->bv_val );
>+       cr = fcrypt( cred->bv_val, passwd->bv_val );
>
>      if( cr == NULL || cr[0] == '\0' ) {
>              /* salt must have been invalid */
>@@ -899,7 +899,7 @@
>              return -1;
>      }
>
>-       cr = crypt(cred->bv_val, pw);
>+       cr = fcrypt(cred->bv_val, pw);
>
>      if( cr == NULL || cr[0] == '\0' ) {
>              /* salt must have been invalid *
>/@@ -1038,7 +1038,7 @@
>      salt[1] = crypt64[ salt[1] % (sizeof(crypt64)-1) ];
>      salt[2] = '\0';
>
>-       hash.bv_val = crypt( passwd->bv_val, salt );
>+       hash.bv_val = fcrypt( passwd->bv_val, salt );
>
>      if( hash.bv_val == NULL ) return NULL;
>
>
>