[tac_plus] FW: Re: tac_plus with PAM on FreeBSD

Joe Moore joe.moore at holidaycompanies.com
Thu Mar 13 06:41:23 UTC 2008


It is now working!

Apparently, something that gets "patched" or altered in the FreeBSD
"ports" build breaks system and PAM auth. I downloaded the source
directly from ftp.shrubbery.net, built it without doing anything
special, and suddenly, authenticating to both PAM (I copied the
/etc/pam.d/sshd file to /etc/pam.d/tac_plus) and /etc/passwd works fine!
I had been using the "ports" process all along with FBSD and a plain old
"./configure, make, make install" on Linux.

Maybe I'll get really lucky and those annoying "expecting continue"
console logs will go away too  :-)

Thanks for your support!

			...jgm




-----Original Message-----
From: tac_plus-bounces at shrubbery.net
[mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Joe Moore
Sent: Wednesday, March 12, 2008 11:09 PM
To: tac_plus at shrubbery.net
Subject: [tac_plus] Re: tac_plus with PAM on FreeBSD

OK, I tried compiling on FBSD 6.2 and it couldn't find "crypt.h". I
found a few copies scattered around the system so I copied on from
/usr/src/lib/libcrypt/. The compile then failed due to a syntax error in
crypt.h.

p.c compiled fine on Centos5 Linux. It worked correctly there too.

I had the same problems on the FBSD 7 box that I had on the 6.2 box
initially. Then, I noticed that the crypt.h I used was dated June 2,
2003! So, I copied the one from /usr/include/rpcsvc/ to /usr/include/.
That one was dated Feb 24 2008. Then p.c compiled fine and worked on the
FBSD 7 box.

Does this get me any closer to fixing this?

Just for grins I de-installed tac_plus, did a "make clean", another
compile and install with the crypt.h file still in /usr/include. It
still doesn't work with '/etc/passwd" or "PAM".

			TIA   ...jgm





-----Original Message-----
From: Kiss Gabor (Bitman) [mailto:kissg at ssg.ki.iif.hu] 
Sent: Wednesday, March 12, 2008 1:18 PM
To: Joe Moore
Cc: tac_plus at shrubbery.net
Subject: Re: [tac_plus] Re: tac_plus with PAM on FreeBSD

> I'm not a developer, but when I run tac_plus with /etc/passwd auth,
> debug output shows my (correct) password in plain text. Debug also
shows
> what the plain-text password "encrypts to", which does not resemble
the
> hash in /etc/master.passwd.
> 
> The hashed pw in master.passwd is MD5 and has an 8 character salt
> prepended to the hash. I'm guessing (and that's all it is) that maybe
> tac_plus is using a different method to encrypt the plain-text
password
> than FBSD is using, or maybe it's just not aware of the salt. I know

pwlib.c contains this:
des_verify(...)
{
	...
	ep = (char *) crypt(users_passwd, encrypted_passwd);
	...
	if (strcmp(ep, encrypted_passwd) == 0) {
		if (debug & DEBUG_PASSWD_FLAG)
			report(LOG_DEBUG, "Password is correct");
		return(1);
	}
}

It just passes old stored hash as 'encrypted_passwd' to crypt().
It works because hash begins with the salt.

I suggest you to compile a 5 line test program like this:

#include <stdio.h>
#include <crypt.h>
main(int argc, char **argv) {
	printf("%s\n",crypt(argv[1], argv[2]));
}

Assuming source file is called p.c

$ make CFLAGS='-lcrypt' p

Then run it with plain password and old hash as arguments.
Assuming your password is 'plaintext'

$ ./p plaintext '$1$2K1JYNC3$qik58Zlm5tccXeZJ4v0Xm.'
$1$2K1JYNC3$qik58Zlm5tccXeZJ4v0Xm.

It works for me on Debian Etch Linux, i386 architecture.
What can you see on stdout on different platforms?

Gabor
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus


More information about the tac_plus mailing list