[tac_plus] Re: tac_plus with PAM on FreeBSD

Joe Moore joe.moore at holidaycompanies.com
Wed Mar 12 17:56:48 UTC 2008

I'm not a developer, but when I run tac_plus with /etc/passwd auth,
debug output shows my (correct) password in plain text. Debug also shows
what the plain-text password "encrypts to", which does not resemble the
hash in /etc/master.passwd.

The hashed pw in master.passwd is MD5 and has an 8 character salt
prepended to the hash. I'm guessing (and that's all it is) that maybe
tac_plus is using a different method to encrypt the plain-text password
than FBSD is using, or maybe it's just not aware of the salt. I know
this used to work on FBSD 4.x and 5.x. No dice with 6 or 7 though...


-----Original Message-----
From: tac_plus-bounces at shrubbery.net
[mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Kiss Gabor (Bitman)
Sent: Wednesday, March 12, 2008 12:18 PM
To: john heasley
Cc: tac_plus at shrubbery.net
Subject: [tac_plus] Re: tac_plus with PAM on FreeBSD

> > You need a libcrypt.so with GNU extensions where crypt(3)
> > supports md5 password hashes.
> For the record, there is nothing GNU about this.  GNU stuff might
> it now, but it originated with BSD and AFAIK FBSD, NBSD and OBSD all
> DES and MD5 hashes and FBSD and NBSD also support blowfish, IIRC.

You must be right.
I just read this on crypt(3) man page a few days ago:

  The glibc2 version of this function has the following  additional
  tures.   If  salt is a character string starting with the three
  ters "$1$" followed by at most eight characters, and optionally
  nated  by  "$",  then instead of using the DES machine, the glibc
  function uses an MD5-based algorithm, ...

but I did not make any effort to research the origin of md5 password
handling. :-)

tac_plus mailing list
tac_plus at shrubbery.net

More information about the tac_plus mailing list