[tac_plus] Re: tac_plus with PAM on FreeBSD
Kiss Gabor (Bitman)
kissg at ssg.ki.iif.hu
Wed Mar 12 18:18:01 UTC 2008
> I'm not a developer, but when I run tac_plus with /etc/passwd auth,
> debug output shows my (correct) password in plain text. Debug also shows
> what the plain-text password "encrypts to", which does not resemble the
> hash in /etc/master.passwd.
>
> The hashed pw in master.passwd is MD5 and has an 8 character salt
> prepended to the hash. I'm guessing (and that's all it is) that maybe
> tac_plus is using a different method to encrypt the plain-text password
> than FBSD is using, or maybe it's just not aware of the salt. I know
pwlib.c contains this:
des_verify(...)
{
...
ep = (char *) crypt(users_passwd, encrypted_passwd);
...
if (strcmp(ep, encrypted_passwd) == 0) {
if (debug & DEBUG_PASSWD_FLAG)
report(LOG_DEBUG, "Password is correct");
return(1);
}
}
It just passes old stored hash as 'encrypted_passwd' to crypt().
It works because hash begins with the salt.
I suggest you to compile a 5 line test program like this:
#include <stdio.h>
#include <crypt.h>
main(int argc, char **argv) {
printf("%s\n",crypt(argv[1], argv[2]));
}
Assuming source file is called p.c
$ make CFLAGS='-lcrypt' p
Then run it with plain password and old hash as arguments.
Assuming your password is 'plaintext'
$ ./p plaintext '$1$2K1JYNC3$qik58Zlm5tccXeZJ4v0Xm.'
$1$2K1JYNC3$qik58Zlm5tccXeZJ4v0Xm.
It works for me on Debian Etch Linux, i386 architecture.
What can you see on stdout on different platforms?
Gabor
More information about the tac_plus
mailing list