[ale] Password hashes bent

[Joe Knapka]

Thanks for the info. It all makes sense, but unfortunately
fixing things is non-trivial. What I think I need to do is
just configure and build OpenSSH with the appropriate
options enabled. But so far, I have not been able
to get any version of OpenSSH to both build and run on
Slack 7.1. Either I get unresolved externals (inet_addr()
and other inet_ functions), or else sshd dies immediately
on startup because getnameinfo() fails.

Is anyone else using any version of OpenSSH on Slack 7.1?

-- Joe


Joe Steele wrote:
> 
> A little info:
> 
> There are two versions of crypt  -- the old version
> (before glibc-2) only used DES while the newer version
> can use DES or MD5.  The newer version will use MD5 if
> it is given a salt beginning with "$1$", otherwise it
> uses DES.  The MD5 result begins with "$1$" and is
> 26-34 characters long (depending on the salt length).
> The DES result is 13 characters long.
> 
> Another twist is that glibc-2 doesn't include the DES
> capability except as an add-on.  Likewise, Slackware
> offers the DES-capable crypt package as an add-on (see http://www.slackware.com/packages/index.php3?version=7.1&series=des).
> Without it, only MD5-crypt is possible -- If the salt
> doesn't begin with "$1$", crypt returns with NULL and
> error code EOPNOTSUPP.
> 
> I don't know if any of this helps.  The obvious answer
> (which you apparently have eliminated) would be that if
> a program was linked to the older version of crypt (from
> libc5), then authentication would fail.
> 
> --Joe
> 
> -----Original Message-----
> From:   Joe Knapka [SMTP:jknapka at charter.net]
> Sent:   Monday, July 24, 2000 8:07 PM
> To:     ale at ale.org
> Subject:        [ale] Password hashes bent
> 
> Hi, folks,
> 
> I just upgraded my masq firewall from Slackware 3.0 to Slack
> 7.1. Everything is basically working, but I have one very
> bizarre problem: I can't log in to the machine using either
> ssh or telnet anymore.
> 
> I saved the firewall rules and so forth from the previous
> install, and they work (I'm sending this message from a
> machine behind the firewall.) That's not the problem. After
> pulling my hair out for a while, I ended up instrumenting
> sshd to print the hashed password from the shadow password
> file and the hashed password it gets by running crypt() on
> the plain text password, and.... THEY'RE DIFFERENT! Which
> is insane, because I can still login at the console without
> any trouble, which means that -getty- is calling crypt() and
> getting the right answer. It's almost as if sshd and getty
> are calling different versions of crypt(). But I've verified
> that getty and sshd are linked against the same version of
> glibc, so I don't see how this is possible.
> 
> One thing that I notice is that the encrypted passwords in
> the shadow password file are much longer than those yielded
> by crypt() = something like 3 times as long.
> 
> Any ideas?
> 
> TIA,
> 
> -- Joe

-- 
*** Joseph A. Knapka ***
A random fortune:
In Lowes Crossroads, Delaware, it is a violation of local law for any
pilot or passenger to carry an ice cream cone in their pocket while
either flying or waiting to board a plane.
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.