[tac_plus] Re: FW: Re: tac_plus with PAM on FreeBSD

john heasley heas at shrubbery.net
Thu Mar 13 16:49:03 UTC 2008 

Thu, Mar 13, 2008 at 01:41:23AM -0500, Joe Moore:
> It is now working!
> 
> Apparently, something that gets "patched" or altered in the FreeBSD
> "ports" build breaks system and PAM auth. I downloaded the source
> directly from ftp.shrubbery.net, built it without doing anything
> special, and suddenly, authenticating to both PAM (I copied the
> /etc/pam.d/sshd file to /etc/pam.d/tac_plus) and /etc/passwd works fine!
> I had been using the "ports" process all along with FBSD and a plain old
> "./configure, make, make install" on Linux.

so, there are no problems at all, freebsd or centos; right?

> Maybe I'll get really lucky and those annoying "expecting continue"
> console logs will go away too  :-)

That is a cisco bug, afaict.  It started just a few IOS revisions ago.  I
have not yet spent the time to trace it precisely and raise a bug with Cisco.

> Thanks for your support!
> 
> 			...jgm
> 
> 
> 
> 
> -----Original Message-----
> From: tac_plus-bounces at shrubbery.net
> [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Joe Moore
> Sent: Wednesday, March 12, 2008 11:09 PM
> To: tac_plus at shrubbery.net
> Subject: [tac_plus] Re: tac_plus with PAM on FreeBSD
> 
> OK, I tried compiling on FBSD 6.2 and it couldn't find "crypt.h". I
> found a few copies scattered around the system so I copied on from
> /usr/src/lib/libcrypt/. The compile then failed due to a syntax error in
> crypt.h.
> 
> p.c compiled fine on Centos5 Linux. It worked correctly there too.
> 
> I had the same problems on the FBSD 7 box that I had on the 6.2 box
> initially. Then, I noticed that the crypt.h I used was dated June 2,
> 2003! So, I copied the one from /usr/include/rpcsvc/ to /usr/include/.
> That one was dated Feb 24 2008. Then p.c compiled fine and worked on the
> FBSD 7 box.
> 
> Does this get me any closer to fixing this?
> 
> Just for grins I de-installed tac_plus, did a "make clean", another
> compile and install with the crypt.h file still in /usr/include. It
> still doesn't work with '/etc/passwd" or "PAM".
> 
> 			TIA   ...jgm
> 
> 
> 
> 
> 
> -----Original Message-----
> From: Kiss Gabor (Bitman) [mailto:kissg at ssg.ki.iif.hu] 
> Sent: Wednesday, March 12, 2008 1:18 PM
> To: Joe Moore
> Cc: tac_plus at shrubbery.net
> Subject: Re: [tac_plus] Re: tac_plus with PAM on FreeBSD
> 
> > I'm not a developer, but when I run tac_plus with /etc/passwd auth,
> > debug output shows my (correct) password in plain text. Debug also
> shows
> > what the plain-text password "encrypts to", which does not resemble
> the
> > hash in /etc/master.passwd.
> > 
> > The hashed pw in master.passwd is MD5 and has an 8 character salt
> > prepended to the hash. I'm guessing (and that's all it is) that maybe
> > tac_plus is using a different method to encrypt the plain-text
> password
> > than FBSD is using, or maybe it's just not aware of the salt. I know
> 
> pwlib.c contains this:
> des_verify(...)
> {
> 	...
> 	ep = (char *) crypt(users_passwd, encrypted_passwd);
> 	...
> 	if (strcmp(ep, encrypted_passwd) == 0) {
> 		if (debug & DEBUG_PASSWD_FLAG)
> 			report(LOG_DEBUG, "Password is correct");
> 		return(1);
> 	}
> }
> 
> It just passes old stored hash as 'encrypted_passwd' to crypt().
> It works because hash begins with the salt.
> 
> I suggest you to compile a 5 line test program like this:
> 
> #include <stdio.h>
> #include <crypt.h>
> main(int argc, char **argv) {
> 	printf("%s\n",crypt(argv[1], argv[2]));
> }
> 
> Assuming source file is called p.c
> 
> $ make CFLAGS='-lcrypt' p
> 
> Then run it with plain password and old hash as arguments.
> Assuming your password is 'plaintext'
> 
> $ ./p plaintext '$1$2K1JYNC3$qik58Zlm5tccXeZJ4v0Xm.'
> $1$2K1JYNC3$qik58Zlm5tccXeZJ4v0Xm.
> 
> It works for me on Debian Etch Linux, i386 architecture.
> What can you see on stdout on different platforms?
> 
> Gabor
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus

More information about the tac_plus mailing list