Re: New feature: Encrypted gnatsd passwords

Re: New feature: Encrypted gnatsd passwords

[Yngve Svendsen]

>[I'm generally not going to add any new features before GNATS 4 is 
>released. However some missing features can be considered being bugs which 
>should be fixed.]
>
>I added support for MD5 encrypted passwords in gnatsd.access, based on a 
>patch by Tommi Virtanen. Now you can use passwords prefixed with `$1$' 
>there, see the documentation of `crypt' in the GNU libc manual for more 
>details about the form of such passwords. Passwords prefixed with $0$ are 
>exact match passwords. Other passwords remain the same as before, i.e. 
>case sensitive wild card match passwords.
>
>Milan Zamazal


As part of updating the GNATS documentation, I have been experimenting with 
this feature. I got it working on Linux, after figuring out the correct 
format for the MD5 password string (which I have documented thoroughly in 
the latest version of the manual).

However, on Solaris, which lacks glibc, MD5 crypt() is not supported. Now, 
the configuration checks indicate that crypt() is available on Solaris, 
resulting in the MD5-supporting code being compiled into gnatsd but without 
working. The password checking routine in gnatsd.c actually ends up 
comparing an MD5 hash with a DES hash.

By removing a couple of ifs in gnatsd.c, I got things working on Solaris 
with DES-encrypted passwords in gnatsd.access. This leads me to ask the 
following question: Should we implement support for DES-encrypted 
passwords? This should be very easy, except for one thing -- we need a way 
to distinguish DES hashes in gnatsd.access from plaintext passwords.

The ordinary way is of course to prefix MD5 hashes with '$1$' and treat 
everything without this prefix as a DES hash, but in the gnatsd.access 
file, we have a third possibility, namely a plaintext password. Is there a 
standard prefix for DES hashes, or could we simply invent our own?

If we decide not to sypport DES encrypted passwords, the configure checks 
should be tightened so that we can inform the user if he has a crypt() 
without MD5 support.

Yngve Svendsen

Re: New feature: Encrypted gnatsd passwords

[Milan Zamazal]

>>>>> "YS" == Yngve Svendsen <yngve.svendsen@clustra.com> writes:

    YS> By removing a couple of ifs in gnatsd.c, I got things working on
    YS> Solaris with DES-encrypted passwords in gnatsd.access. This
    YS> leads me to ask the following question: Should we implement
    YS> support for DES-encrypted passwords? This should be very easy,
    YS> except for one thing -- we need a way to distinguish DES hashes
    YS> in gnatsd.access from plaintext passwords.

AFAIK there is no standard way to do this.  However, the code already
contains a check for `$0$' as the plain text password prefix, so I'd
suggest to simply document and use it and let the default password
format be the DES-encrypted.

However that is not much elegant and it would require to convert already
existing password files.  So it might be better to add a new dbconfig
option for this, but that would be more work and require having a global
configuration file (AFAIK there's none now).

Milan Zamazal

-- 
If we are going to start removing packages because of the quality of the
software, wonderful.  I move to remove all traces of the travesty of editors,
vi, from Debian, since obviously as editors they are less than alpha quality
software.                                   -- Manoj Srivastava in debian-devel

Re: New feature: Encrypted gnatsd passwords

[Yngve Svendsen]

At 14:13 17.06.2001 +0200, Milan Zamazal wrote:
>AFAIK there is no standard way to do this.  However, the code already
>contains a check for `$0$' as the plain text password prefix, so I'd
>suggest to simply document and use it and let the default password
>format be the DES-encrypted.

I agree. It should be easy to write a shell or Perl script which converts 
old password files. The administrator could then select whether to keep 
plaintext passwords (i.e. the script would prefix all existing passwords 
with $0$) or DES-encrypt the passwords. I'll look into both scripting and 
changing the default (i.e. non-prefixed) to DES-encrypted. Should be a nice 
and easy little exercise in C for me.

- Yngve

New feature: Encrypted gnatsd passwords

[Milan Zamazal]

[I'm generally not going to add any new features before GNATS 4 is
released.  However some missing features can be considered being bugs
which should be fixed.]

I added support for MD5 encrypted passwords in gnatsd.access, based on a
patch by Tommi Virtanen.  Now you can use passwords prefixed with `$1$'
there, see the documentation of `crypt' in the GNU libc manual for more
details about the form of such passwords.  Passwords prefixed with $0$
are exact match passwords.  Other passwords remain the same as before,
i.e. case sensitive wild card match passwords.

Milan Zamazal

-- 
real programmer?  don't get me started.  if you need to hide your
pathetic excuse for a carreer behind super-macho languages like C, C++,
and/or Perl instead of writing clean, maintainable, efficient code, you
aren't much of a real programmer in my view.  -- Erik Naggum in comp.emacs