* Encrypted password patch
@ 2001-06-20 15:24 Yngve Svendsen
2001-06-21 22:54 ` /etc/qnats-db.conf Margaret BRIERTON
2001-06-24 11:26 ` Encrypted password patch Milan Zamazal
0 siblings, 2 replies; 14+ messages in thread
From: Yngve Svendsen @ 2001-06-20 15:24 UTC (permalink / raw)
To: Milan Zamazal; +Cc: gnats-devel
The following patch against current version 4 CVS implements the following
password system:
- If the password in gnatsd.access is prefixed with $0$, the password is
assumed to be explicit plaintext.
- If it is prefixed with $1$, it is assumed to be in MD5 format.
- If it has no prefix, it is assumed to be in standard DES crypt format.
I have tested this both on Linux and Solaris, and it works just as expected.
I'll amend the manual tomorrow (I won't commit the changes to the manual
until the pending move of the manual in the directory tree is done) and
then write a Perl script to convert old password files.
Yngve Svendsen
Index: gnatsd.c
===================================================================
RCS file: /cvs/gnats/gnats/gnats/gnatsd.c,v
retrieving revision 1.41
diff -u -p -r1.41 gnatsd.c
--- gnatsd.c 2001/06/10 17:17:19 1.41
+++ gnatsd.c 2001/06/20 22:11:50
@@ -276,28 +276,18 @@ match (const char *line, const char *pat
static int
password_match (const char *password, const char *hash)
{
- /* TODO: document the facility in the manual */
-
if (! strncmp (hash, "$0$", 3))
{
/* explicit plain-text password */
return ! strcmp (password, hash+3);
}
- else if (! strncmp (hash, "$1$", 3))
+ else
{
- /* MD5 hash of the password */
-#ifdef HAVE_LIBCRYPT
+ /* DES or MD5 password. If crypt supports MD5, it uses MD5 when
+ the salt starts with $1$. If there's no prefix standard DES
+ is assumed */
char *encrypted = crypt (password, hash);
return encrypted && ! strcmp (encrypted, hash);
-#else
- /* TODO: log some warning */
- return FALSE;
-#endif
- }
- else
- {
- /* default password type is plain-text */
- return match (password, hash, TRUE);
}
}
^ permalink raw reply [flat|nested] 14+ messages in thread
* /etc/qnats-db.conf
2001-06-20 15:24 Encrypted password patch Yngve Svendsen
@ 2001-06-21 22:54 ` Margaret BRIERTON
2001-06-22 0:11 ` /etc/qnats-db.conf Yngve Svendsen
2001-06-24 11:26 ` Encrypted password patch Milan Zamazal
1 sibling, 1 reply; 14+ messages in thread
From: Margaret BRIERTON @ 2001-06-21 22:54 UTC (permalink / raw)
To: gnats-devel
Hi
I'm trying to get gnatsweb up and running except i've stumbled upon a serious
problem.
The file /etc/qnats-db.conf doesn't exist.
My question is, how come this file wasn't installed........?
Have I left out some installation step?
We really need to get this up and running. Thanks for your time.
Margaret
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: /etc/qnats-db.conf
2001-06-21 22:54 ` /etc/qnats-db.conf Margaret BRIERTON
@ 2001-06-22 0:11 ` Yngve Svendsen
0 siblings, 0 replies; 14+ messages in thread
From: Yngve Svendsen @ 2001-06-22 0:11 UTC (permalink / raw)
To: Margaret BRIERTON, gnats-devel
At 15:51 22.06.2001 +1000, Margaret BRIERTON wrote:
>Hi
>
>I'm trying to get gnatsweb up and running except i've stumbled upon a serious
>problem.
>
>The file /etc/qnats-db.conf doesn't exist.
>
>My question is, how come this file wasn't installed........?
>
>Have I left out some installation step?
>
>We really need to get this up and running. Thanks for your time.
No, you haven't left out anything. Multiple database support and the
/etc/gnats-db.conf file was introduced in one of the lates versions of the
3.x series, and the documentation was never updated to matchit fully. You
should create a gnats-db.conf file according to the example in Appendix C,
then things should work.
Yngve Svendsen
IS Engineer
Clustra AS, Trondheim, Norway
yngve.svendsen@clustra.com
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Encrypted password patch
2001-06-20 15:24 Encrypted password patch Yngve Svendsen
2001-06-21 22:54 ` /etc/qnats-db.conf Margaret BRIERTON
@ 2001-06-24 11:26 ` Milan Zamazal
2001-06-24 11:34 ` Rick Macdonald
` (2 more replies)
1 sibling, 3 replies; 14+ messages in thread
From: Milan Zamazal @ 2001-06-24 11:26 UTC (permalink / raw)
To: Yngve Svendsen; +Cc: gnats-devel
>>>>> "YS" == Yngve Svendsen <yngve.svendsen@clustra.com> writes:
YS> The following patch against current version 4 CVS implements the
YS> following password system:
YS> - If the password in gnatsd.access is prefixed with $0$, the
YS> password is assumed to be explicit plaintext. - If it is
YS> prefixed with $1$, it is assumed to be in MD5 format. - If it
YS> has no prefix, it is assumed to be in standard DES crypt format.
YS> I have tested this both on Linux and Solaris, and it works just
YS> as expected.
Please note that patch breaks the compilation if the `crypt' function is
not present. It should handle the situation reasonably, possibly by
never matching passwords not starting with $0$; the code must be
#ifdefed appropriately.
YS> then write a Perl script to convert old password files.
I wouldn't like to make GNATS installation dependent on Perl (despite
this is only a small utility), so the script should be written in C or
in sh using standard Unix tools (I'd think about awk, I think it's
present on every Unix system).
(If anything of the above is difficult for you, no problem -- just
define the behavior and I'll do it.)
Regards,
Milan Zamazal
--
Free software is about freedom, not about free beer. If you care only about
the latter, you'll end up with no freedom and no free beer.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Encrypted password patch
2001-06-24 11:26 ` Encrypted password patch Milan Zamazal
@ 2001-06-24 11:34 ` Rick Macdonald
2001-06-24 12:06 ` Milan Zamazal
2001-06-24 15:05 ` Yngve Svendsen
2001-06-26 6:13 ` Encrypted password patch Yngve Svendsen
2 siblings, 1 reply; 14+ messages in thread
From: Rick Macdonald @ 2001-06-24 11:34 UTC (permalink / raw)
To: Milan Zamazal; +Cc: Yngve Svendsen, gnats-devel
I haven't been following this thread very closely, but have a question.
If TkGnats is ever ported to GNATS v4, what does it need to support these
encrypted passwords? An externally compiled C program?
On 24 Jun 2001, Milan Zamazal wrote:
> >>>>> "YS" == Yngve Svendsen <yngve.svendsen@clustra.com> writes:
>
> YS> The following patch against current version 4 CVS implements the
> YS> following password system:
>
> YS> - If the password in gnatsd.access is prefixed with $0$, the
> YS> password is assumed to be explicit plaintext. - If it is
> YS> prefixed with $1$, it is assumed to be in MD5 format. - If it
> YS> has no prefix, it is assumed to be in standard DES crypt format.
>
> YS> I have tested this both on Linux and Solaris, and it works just
> YS> as expected.
>
> Please note that patch breaks the compilation if the `crypt' function is
> not present. It should handle the situation reasonably, possibly by
> never matching passwords not starting with $0$; the code must be
> #ifdefed appropriately.
>
> YS> then write a Perl script to convert old password files.
>
> I wouldn't like to make GNATS installation dependent on Perl (despite
> this is only a small utility), so the script should be written in C or
> in sh using standard Unix tools (I'd think about awk, I think it's
> present on every Unix system).
>
> (If anything of the above is difficult for you, no problem -- just
> define the behavior and I'll do it.)
>
> Regards,
>
> Milan Zamazal
>
> --
> Free software is about freedom, not about free beer. If you care only about
> the latter, you'll end up with no freedom and no free beer.
>
...RickM...
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Encrypted password patch
2001-06-24 11:34 ` Rick Macdonald
@ 2001-06-24 12:06 ` Milan Zamazal
2001-06-24 12:33 ` Rick Macdonald
0 siblings, 1 reply; 14+ messages in thread
From: Milan Zamazal @ 2001-06-24 12:06 UTC (permalink / raw)
To: Rick Macdonald; +Cc: Yngve Svendsen, gnats-devel
>>>>> "RM" == Rick Macdonald <rickm@vsl.com> writes:
RM> If TkGnats is ever ported to GNATS v4, what does it need to
RM> support these encrypted passwords? An externally compiled C
RM> program?
You mean Tcl doesn't provide `crypt'? Hm, then you can either require
plain text passwords in the password files or use gnatsd or use the C
external program. I think it doesn't differ significantly from the
current situation?
Regards,
Milan Zamazal
--
And why?
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Encrypted password patch
2001-06-24 12:06 ` Milan Zamazal
@ 2001-06-24 12:33 ` Rick Macdonald
2001-06-24 15:19 ` Milan Zamazal
0 siblings, 1 reply; 14+ messages in thread
From: Rick Macdonald @ 2001-06-24 12:33 UTC (permalink / raw)
To: Milan Zamazal; +Cc: Yngve Svendsen, gnats-devel
On 24 Jun 2001, Milan Zamazal wrote:
> >>>>> "RM" == Rick Macdonald <rickm@vsl.com> writes:
>
> RM> If TkGnats is ever ported to GNATS v4, what does it need to
> RM> support these encrypted passwords? An externally compiled C
> RM> program?
>
> You mean Tcl doesn't provide `crypt'? Hm, then you can either require
> plain text passwords in the password files or use gnatsd or use the C
> external program. I think it doesn't differ significantly from the
> current situation?
Perhaps I don't understand the whole issue.
Would TkGnats just send the plain text password to gnatsd, and gnatsd
would do the encryption/validation? That would be OK.
Does gnatsweb send clear text passwords to gnatsd or does it do something
better? I recall people complaining (a few years ago) not only of plain
text passwords in the gnatsd config but also the transfer of plain text
passwords to gnatsd as well.
...RickM...
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Encrypted password patch
2001-06-24 11:26 ` Encrypted password patch Milan Zamazal
2001-06-24 11:34 ` Rick Macdonald
@ 2001-06-24 15:05 ` Yngve Svendsen
2001-06-24 15:25 ` Milan Zamazal
2001-06-26 6:13 ` Encrypted password patch Yngve Svendsen
2 siblings, 1 reply; 14+ messages in thread
From: Yngve Svendsen @ 2001-06-24 15:05 UTC (permalink / raw)
To: Milan Zamazal; +Cc: gnats-devel
At 17:45 24.06.2001 +0200, Milan Zamazal wrote:
>Please note that patch breaks the compilation if the `crypt' function is
>not present. It should handle the situation reasonably, possibly by
>never matching passwords not starting with $0$; the code must be
>#ifdefed appropriately.
I'll look into it as soon as I can.
>I wouldn't like to make GNATS installation dependent on Perl (despite
>this is only a small utility), so the script should be written in C or
>in sh using standard Unix tools (I'd think about awk, I think it's
>present on every Unix system).
Yes, I'll see what I can get done. The only problem is that calculating MD5
hashes in a portable way in a shell script might prove to be a real
challenge. It might be that we need a C program for the job. If so, I'll
try to specify the intended behaviour to you.
- Yngve
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Encrypted password patch
2001-06-24 12:33 ` Rick Macdonald
@ 2001-06-24 15:19 ` Milan Zamazal
0 siblings, 0 replies; 14+ messages in thread
From: Milan Zamazal @ 2001-06-24 15:19 UTC (permalink / raw)
To: Rick Macdonald; +Cc: Yngve Svendsen, gnats-devel
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 1585 bytes --]
>>>>> "RM" == Rick Macdonald <rickm@vsl.com> writes:
RM> Would TkGnats just send the plain text password to gnatsd, and
RM> gnatsd would do the encryption/validation?
Yes, nothing changes in the (gnatsd) interface.
RM> Does gnatsweb send clear text passwords to gnatsd or does it do
RM> something better?
I think it sends clear text passwords.
RM> I recall people complaining (a few years ago) not only of plain
RM> text passwords in the gnatsd config but also the transfer of
RM> plain text passwords to gnatsd as well.
Yes, that might be a reason to complain. However sending encrypted
passwords over network is not much better. I think a good solution
might be a system level solution -- making a secured channel (through
some port redirection or so) between Gnatsweb and gnatsd. AÂ less
my-servers-and-clients-only oriented solution might be to let gnatsd sit
behind a simple ssh script on some port and to add the support to
Gnatsweb, TkGnats and the Emacs interface to communicate via ssh with
the server.
Another solution is to use Kerberos (GNATS has got support for it though
I've no idea whether it works or not), but the Kerberos support might be
difficult to implement in non-C clients which talk to gnatsd directly.
But I'm not a security expert nor I seriously work as a sysadmin last
years, so I'd better let speak someone more competent in this area.
Regards,
Milan Zamazal
--
SomeProgrammersLikeWritingLikeThis.However,IDontThinkThisFormOfCommunicationIs\
AGoodIdea.IApologizeToAllWhoCantReadMyTextsWrittenInAClassicStyle.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Encrypted password patch
2001-06-24 15:05 ` Yngve Svendsen
@ 2001-06-24 15:25 ` Milan Zamazal
2001-06-25 23:29 ` cgi_error Margaret BRIERTON
0 siblings, 1 reply; 14+ messages in thread
From: Milan Zamazal @ 2001-06-24 15:25 UTC (permalink / raw)
To: Yngve Svendsen; +Cc: gnats-devel
>>>>> "YS" == Yngve Svendsen <yngve.svendsen@clustra.com> writes:
YS> Yes, I'll see what I can get done. The only problem is that
YS> calculating MD5 hashes in a portable way in a shell script might
YS> prove to be a real challenge. It might be that we need a C
YS> program for the job. If so, I'll try to specify the intended
YS> behaviour to you.
Well, you're right, though `md5sum' exists on many systems, it's very
likely not present everywhere and moreover I can't recall any DES
utility right now. So let's go C, the program should be quite simple,
I'll write it once we know what we want exactly.
Regards,
Milan Zamazal
--
Here is my advice, don't try to program the bleeding edge for the
general populace unless you really, really, really like migraines.
Neal H. Walfield
^ permalink raw reply [flat|nested] 14+ messages in thread
* cgi_error
2001-06-24 15:25 ` Milan Zamazal
@ 2001-06-25 23:29 ` Margaret BRIERTON
2001-06-26 1:06 ` cgi_error Yngve Svendsen
0 siblings, 1 reply; 14+ messages in thread
From: Margaret BRIERTON @ 2001-06-25 23:29 UTC (permalink / raw)
To: gnats-devel
Hi
I'm trying to use gnatsweb but am having problems!
When i try and access the script "gnatsweb.pl" from our server i get the
following problem:
Software error:
Undefined subroutine CGI::cgi_error
For help, please send mail to the webmaster (root@localhost), giving this
error message and
the time and date of the error.
I've looked up the Apache web page but am completely lost.
Has anyone seen this problem before?
margaret
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: cgi_error
2001-06-25 23:29 ` cgi_error Margaret BRIERTON
@ 2001-06-26 1:06 ` Yngve Svendsen
0 siblings, 0 replies; 14+ messages in thread
From: Yngve Svendsen @ 2001-06-26 1:06 UTC (permalink / raw)
To: Margaret BRIERTON, gnats-devel
At 16:26 26.06.2001 +1000, Margaret BRIERTON wrote:
>Hi
>
>I'm trying to use gnatsweb but am having problems!
>
>When i try and access the script "gnatsweb.pl" from our server i get the
>following problem:
>
>Software error:
>
>Undefined subroutine CGI::cgi_error
>
>For help, please send mail to the webmaster (root@localhost), giving this
>error message and
>the time and date of the error.
>
>
>I've looked up the Apache web page but am completely lost.
>
>Has anyone seen this problem before?
You need to update the version of the CGI.pm Perl module on your system.
If you have the CPAN module installed on your system, the following command
line, run as "root", should update CGI.pm:
perl -MCPAN -e 'install CGI'
If you don't have the CPAN module, go to http://www.cpan.org/ and find the
CGI module manually.
Yngve Svendsen
Gnatsweb maintainer
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Encrypted password patch
2001-06-24 11:26 ` Encrypted password patch Milan Zamazal
2001-06-24 11:34 ` Rick Macdonald
2001-06-24 15:05 ` Yngve Svendsen
@ 2001-06-26 6:13 ` Yngve Svendsen
2001-06-27 14:45 ` Milan Zamazal
2 siblings, 1 reply; 14+ messages in thread
From: Yngve Svendsen @ 2001-06-26 6:13 UTC (permalink / raw)
To: Milan Zamazal; +Cc: gnats-devel
At 17:45 24.06.2001 +0200, Milan Zamazal wrote:
>Please note that patch breaks the compilation if the `crypt' function is
>not present. It should handle the situation reasonably, possibly by
>never matching passwords not starting with $0$; the code must be
>#ifdefed appropriately.
A properly ifdefed patch is attached below. I added in again the ifdefs
that you originally added in order to support MD5. I think we should log a
warning if the password file contains encrypted passwords on systems that
don't support it, so I also added in the original line saying "TODO: log
some warning". I don't know how logging works, so I leave that to someone
else to add.
- Yngve
Index: gnatsd.c
===================================================================
RCS file: /cvs/gnats/gnats/gnats/gnatsd.c,v
retrieving revision 1.41
diff -u -p -r1.41 gnatsd.c
--- gnatsd.c 2001/06/10 17:17:19 1.41
+++ gnatsd.c 2001/06/26 13:03:07
@@ -271,33 +271,29 @@ match (const char *line, const char *pat
}
}
+
/* Return true iff `password' matches `hash'.
`hash' is a possibly encrypted password, according to the $?$
convention. */
static int
password_match (const char *password, const char *hash)
{
- /* TODO: document the facility in the manual */
-
if (! strncmp (hash, "$0$", 3))
{
/* explicit plain-text password */
return ! strcmp (password, hash+3);
}
- else if (! strncmp (hash, "$1$", 3))
+ else
{
- /* MD5 hash of the password */
-#ifdef HAVE_LIBCRYPT
- char *encrypted = crypt (password, hash);
+ /* DES or MD5 password. If crypt supports MD5, it uses MD5 when
+ the salt starts with $1$. If there's no prefix standard DES
+ is assumed */
+#ifdef HAVE_LIBCRYPT
+ char *encrypted = crypt (password, hash);
return encrypted && ! strcmp (encrypted, hash);
#else
/* TODO: log some warning */
return FALSE;
#endif
- }
- else
- {
- /* default password type is plain-text */
- return match (password, hash, TRUE);
}
}
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Encrypted password patch
2001-06-26 6:13 ` Encrypted password patch Yngve Svendsen
@ 2001-06-27 14:45 ` Milan Zamazal
0 siblings, 0 replies; 14+ messages in thread
From: Milan Zamazal @ 2001-06-27 14:45 UTC (permalink / raw)
To: Yngve Svendsen; +Cc: gnats-devel
>>>>> "YS" == Yngve Svendsen <yngve.svendsen@clustra.com> writes:
YS> A properly ifdefed patch is attached below.
This one looks OK, thanks. However I postpone its application for now,
until the password handling tool is written.
YS> so I also added in the original line saying "TODO: log some
YS> warning".
Right.
YS> don't know how logging works, so I leave that to someone else to add.
To my knowledge, logging in GNATS is a total mess and it's one of the
things I'd like to get fixed before GNATS 4 is released.
Regards,
Milan Zamazal
--
I think any law that restricts independent use of brainpower is suspect.
-- Kent Pitman in comp.lang.lisp
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2001-06-27 14:45 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2001-06-20 15:24 Encrypted password patch Yngve Svendsen
2001-06-21 22:54 ` /etc/qnats-db.conf Margaret BRIERTON
2001-06-22 0:11 ` /etc/qnats-db.conf Yngve Svendsen
2001-06-24 11:26 ` Encrypted password patch Milan Zamazal
2001-06-24 11:34 ` Rick Macdonald
2001-06-24 12:06 ` Milan Zamazal
2001-06-24 12:33 ` Rick Macdonald
2001-06-24 15:19 ` Milan Zamazal
2001-06-24 15:05 ` Yngve Svendsen
2001-06-24 15:25 ` Milan Zamazal
2001-06-25 23:29 ` cgi_error Margaret BRIERTON
2001-06-26 1:06 ` cgi_error Yngve Svendsen
2001-06-26 6:13 ` Encrypted password patch Yngve Svendsen
2001-06-27 14:45 ` Milan Zamazal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).