Encrypted password patch

Encrypted password patch

[Yngve Svendsen]

The following patch against current version 4 CVS implements the following 
password system:

- If the password in gnatsd.access is prefixed with $0$, the password is 
assumed to be explicit plaintext.
- If it is prefixed with $1$, it is assumed to be in MD5 format.
- If it has no prefix, it is assumed to be in standard DES crypt format.

I have tested this both on Linux and Solaris, and it works just as expected.

I'll amend the manual tomorrow (I won't commit the changes to the manual 
until the pending move of the manual in the directory tree is done) and 
then write a Perl script to convert old password files.

Yngve Svendsen


Index: gnatsd.c
===================================================================
RCS file: /cvs/gnats/gnats/gnats/gnatsd.c,v
retrieving revision 1.41
diff -u -p -r1.41 gnatsd.c
--- gnatsd.c	2001/06/10 17:17:19	1.41
+++ gnatsd.c	2001/06/20 22:11:50
@@ -276,28 +276,18 @@ match (const char *line, const char *pat
  static int
  password_match (const char *password, const char *hash)
  {
-  /* TODO: document the facility in the manual */
-
    if (! strncmp (hash, "$0$", 3))
      {
        /* explicit plain-text password */
        return ! strcmp (password, hash+3);
      }
-  else if (! strncmp (hash, "$1$", 3))
+  else
      {
-      /* MD5 hash of the password */
-#ifdef HAVE_LIBCRYPT
+	  /* DES or MD5 password. If crypt supports MD5, it uses MD5 when
+         the salt starts with $1$. If there's no prefix standard DES
+         is assumed */
        char *encrypted = crypt (password, hash);
        return encrypted && ! strcmp (encrypted, hash);
-#else
-      /* TODO: log some warning */
-      return FALSE;
-#endif
-    }
-  else
-    {
-      /* default password type is plain-text */
-      return match (password, hash, TRUE);
      }
  }
  

/etc/qnats-db.conf

[Margaret BRIERTON]

Hi

I'm trying to get gnatsweb up and running except i've stumbled upon a serious
problem.

The file /etc/qnats-db.conf doesn't exist.

My question is, how come this file wasn't installed........?

Have I left out some installation step?

We really need to get this up and running.  Thanks for your time.



Margaret

Re: /etc/qnats-db.conf

[Yngve Svendsen]

At 15:51 22.06.2001 +1000, Margaret BRIERTON wrote:
>Hi
>
>I'm trying to get gnatsweb up and running except i've stumbled upon a serious
>problem.
>
>The file /etc/qnats-db.conf doesn't exist.
>
>My question is, how come this file wasn't installed........?
>
>Have I left out some installation step?
>
>We really need to get this up and running.  Thanks for your time.

No, you haven't left out anything. Multiple database support and the 
/etc/gnats-db.conf file was introduced in one of the lates versions of the 
3.x series, and the documentation was never updated to matchit fully. You 
should create a gnats-db.conf file according to the example in Appendix C, 
then things should work.

Yngve Svendsen
IS Engineer
Clustra AS, Trondheim, Norway
yngve.svendsen@clustra.com

Re: Encrypted password patch

[Milan Zamazal]

>>>>> "YS" == Yngve Svendsen <yngve.svendsen@clustra.com> writes:

    YS> The following patch against current version 4 CVS implements the
    YS> following password system:

    YS> - If the password in gnatsd.access is prefixed with $0$, the
    YS> password is assumed to be explicit plaintext.  - If it is
    YS> prefixed with $1$, it is assumed to be in MD5 format.  - If it
    YS> has no prefix, it is assumed to be in standard DES crypt format.

    YS> I have tested this both on Linux and Solaris, and it works just
    YS> as expected.

Please note that patch breaks the compilation if the `crypt' function is
not present.  It should handle the situation reasonably, possibly by
never matching passwords not starting with $0$; the code must be
#ifdefed appropriately.

    YS> then write a Perl script to convert old password files.

I wouldn't like to make GNATS installation dependent on Perl (despite
this is only a small utility), so the script should be written in C or
in sh using standard Unix tools (I'd think about awk, I think it's
present on every Unix system).

(If anything of the above is difficult for you, no problem -- just
define the behavior and I'll do it.)

Regards,

Milan Zamazal

-- 
Free software is about freedom, not about free beer.  If you care only about
the latter, you'll end up with no freedom and no free beer.

Re: Encrypted password patch

[Rick Macdonald]

I haven't been following this thread very closely, but have a question.

If TkGnats is ever ported to GNATS v4, what does it need to support these
encrypted passwords? An externally compiled C program?

On 24 Jun 2001, Milan Zamazal wrote:

> >>>>> "YS" == Yngve Svendsen <yngve.svendsen@clustra.com> writes:
> 
>     YS> The following patch against current version 4 CVS implements the
>     YS> following password system:
> 
>     YS> - If the password in gnatsd.access is prefixed with $0$, the
>     YS> password is assumed to be explicit plaintext.  - If it is
>     YS> prefixed with $1$, it is assumed to be in MD5 format.  - If it
>     YS> has no prefix, it is assumed to be in standard DES crypt format.
> 
>     YS> I have tested this both on Linux and Solaris, and it works just
>     YS> as expected.
> 
> Please note that patch breaks the compilation if the `crypt' function is
> not present.  It should handle the situation reasonably, possibly by
> never matching passwords not starting with $0$; the code must be
> #ifdefed appropriately.
> 
>     YS> then write a Perl script to convert old password files.
> 
> I wouldn't like to make GNATS installation dependent on Perl (despite
> this is only a small utility), so the script should be written in C or
> in sh using standard Unix tools (I'd think about awk, I think it's
> present on every Unix system).
> 
> (If anything of the above is difficult for you, no problem -- just
> define the behavior and I'll do it.)
> 
> Regards,
> 
> Milan Zamazal
> 
> -- 
> Free software is about freedom, not about free beer.  If you care only about
> the latter, you'll end up with no freedom and no free beer.
> 

...RickM...

Re: Encrypted password patch

[Milan Zamazal]

>>>>> "RM" == Rick Macdonald <rickm@vsl.com> writes:

    RM> If TkGnats is ever ported to GNATS v4, what does it need to
    RM> support these encrypted passwords? An externally compiled C
    RM> program?

You mean Tcl doesn't provide `crypt'?  Hm, then you can either require
plain text passwords in the password files or use gnatsd or use the C
external program.  I think it doesn't differ significantly from the
current situation?

Regards,

Milan Zamazal

-- 
And why?

Re: Encrypted password patch

[Rick Macdonald]

On 24 Jun 2001, Milan Zamazal wrote:

> >>>>> "RM" == Rick Macdonald <rickm@vsl.com> writes:
> 
>     RM> If TkGnats is ever ported to GNATS v4, what does it need to
>     RM> support these encrypted passwords? An externally compiled C
>     RM> program?
> 
> You mean Tcl doesn't provide `crypt'?  Hm, then you can either require
> plain text passwords in the password files or use gnatsd or use the C
> external program.  I think it doesn't differ significantly from the
> current situation?

Perhaps I don't understand the whole issue.

Would TkGnats just send the plain text password to gnatsd, and gnatsd
would do the encryption/validation? That would be OK.

Does gnatsweb send clear text passwords to gnatsd or does it do something
better? I recall people complaining (a few years ago) not only of plain
text passwords in the gnatsd config but also the transfer of plain text
passwords to gnatsd as well.

...RickM...

Re: Encrypted password patch

[Yngve Svendsen]

At 17:45 24.06.2001 +0200, Milan Zamazal wrote:
>Please note that patch breaks the compilation if the `crypt' function is
>not present.  It should handle the situation reasonably, possibly by
>never matching passwords not starting with $0$; the code must be
>#ifdefed appropriately.

I'll look into it as soon as I can.

>I wouldn't like to make GNATS installation dependent on Perl (despite
>this is only a small utility), so the script should be written in C or
>in sh using standard Unix tools (I'd think about awk, I think it's
>present on every Unix system).

Yes, I'll see what I can get done. The only problem is that calculating MD5 
hashes in a portable way in a shell script might prove to be a real 
challenge. It might be that we need a C program for the job. If so, I'll 
try to specify the intended behaviour to you.

- Yngve

Re: Encrypted password patch

[Milan Zamazal]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 1585 bytes --]

>>>>> "RM" == Rick Macdonald <rickm@vsl.com> writes:

    RM> Would TkGnats just send the plain text password to gnatsd, and
    RM> gnatsd would do the encryption/validation?

Yes, nothing changes in the (gnatsd) interface.

    RM> Does gnatsweb send clear text passwords to gnatsd or does it do
    RM> something better?

I think it sends clear text passwords.

    RM> I recall people complaining (a few years ago) not only of plain
    RM> text passwords in the gnatsd config but also the transfer of
    RM> plain text passwords to gnatsd as well.

Yes, that might be a reason to complain.  However sending encrypted
passwords over network is not much better.  I think a good solution
might be a system level solution -- making a secured channel (through
some port redirection or so) between Gnatsweb and gnatsd.  A less
my-servers-and-clients-only oriented solution might be to let gnatsd sit
behind a simple ssh script on some port and to add the support to
Gnatsweb, TkGnats and the Emacs interface to communicate via ssh with
the server.

Another solution is to use Kerberos (GNATS has got support for it though
I've no idea whether it works or not), but the Kerberos support might be
difficult to implement in non-C clients which talk to gnatsd directly.

But I'm not a security expert nor I seriously work as a sysadmin last
years, so I'd better let speak someone more competent in this area.

Regards,

Milan Zamazal

-- 
SomeProgrammersLikeWritingLikeThis.However,IDontThinkThisFormOfCommunicationIs\
AGoodIdea.IApologizeToAllWhoCantReadMyTextsWrittenInAClassicStyle.

Re: Encrypted password patch

[Milan Zamazal]

>>>>> "YS" == Yngve Svendsen <yngve.svendsen@clustra.com> writes:

    YS> Yes, I'll see what I can get done. The only problem is that
    YS> calculating MD5 hashes in a portable way in a shell script might
    YS> prove to be a real challenge. It might be that we need a C
    YS> program for the job. If so, I'll try to specify the intended
    YS> behaviour to you.

Well, you're right, though `md5sum' exists on many systems, it's very
likely not present everywhere and moreover I can't recall any DES
utility right now.  So let's go C, the program should be quite simple,
I'll write it once we know what we want exactly.

Regards,

Milan Zamazal

-- 
Here is my advice, don't try to program the bleeding edge for the
general populace unless you really, really, really like migraines.
						   Neal H. Walfield

cgi_error

[Margaret BRIERTON]

Hi

I'm trying to use gnatsweb but am having problems!

When i try and access the script "gnatsweb.pl" from our server i get the
following problem:

Software error:

Undefined subroutine CGI::cgi_error

For help, please send mail to the webmaster (root@localhost), giving this
error message and
the time and date of the error.


I've looked up the Apache web page but am completely lost.

Has anyone seen this problem before?

margaret

Re: cgi_error

[Yngve Svendsen]

At 16:26 26.06.2001 +1000, Margaret BRIERTON wrote:
>Hi
>
>I'm trying to use gnatsweb but am having problems!
>
>When i try and access the script "gnatsweb.pl" from our server i get the
>following problem:
>
>Software error:
>
>Undefined subroutine CGI::cgi_error
>
>For help, please send mail to the webmaster (root@localhost), giving this
>error message and
>the time and date of the error.
>
>
>I've looked up the Apache web page but am completely lost.
>
>Has anyone seen this problem before?

You need to update the version of the CGI.pm Perl module on your system.

If you have the CPAN module installed on your system, the following command 
line, run as "root", should update CGI.pm:

perl -MCPAN -e 'install CGI'

If you don't have the CPAN module, go to http://www.cpan.org/ and find the 
CGI module manually.

Yngve Svendsen
Gnatsweb maintainer

Re: Encrypted password patch

[Yngve Svendsen]

At 17:45 24.06.2001 +0200, Milan Zamazal wrote:
>Please note that patch breaks the compilation if the `crypt' function is
>not present.  It should handle the situation reasonably, possibly by
>never matching passwords not starting with $0$; the code must be
>#ifdefed appropriately.

A properly ifdefed patch is attached below. I added in again the ifdefs 
that you originally added in order to support MD5. I think we should log a 
warning if the password file contains encrypted passwords on systems that 
don't support it, so I also added in the original line saying "TODO: log 
some warning". I don't know how logging works, so I leave that to someone 
else to add.

- Yngve


Index: gnatsd.c
===================================================================
RCS file: /cvs/gnats/gnats/gnats/gnatsd.c,v
retrieving revision 1.41
diff -u -p -r1.41 gnatsd.c
--- gnatsd.c    2001/06/10 17:17:19     1.41
+++ gnatsd.c    2001/06/26 13:03:07
@@ -271,33 +271,29 @@ match (const char *line, const char *pat
      }
  }

+
  /* Return true iff `password' matches `hash'.
     `hash' is a possibly encrypted password, according to the $?$ 
convention. */
  static int
  password_match (const char *password, const char *hash)
  {
-  /* TODO: document the facility in the manual */
-
    if (! strncmp (hash, "$0$", 3))
      {
        /* explicit plain-text password */
        return ! strcmp (password, hash+3);
      }
-  else if (! strncmp (hash, "$1$", 3))
+  else
      {
-      /* MD5 hash of the password */
-#ifdef HAVE_LIBCRYPT
-      char *encrypted = crypt (password, hash);
+      /* DES or MD5 password. If crypt supports MD5, it uses MD5 when
+         the salt starts with $1$. If there's no prefix standard DES
+         is assumed */
+#ifdef HAVE_LIBCRYPT
+         char *encrypted = crypt (password, hash);
        return encrypted && ! strcmp (encrypted, hash);
  #else
        /* TODO: log some warning */
        return FALSE;
  #endif
-    }
-  else
-    {
-      /* default password type is plain-text */
-      return match (password, hash, TRUE);
      }
  }

Re: Encrypted password patch

[Milan Zamazal]

>>>>> "YS" == Yngve Svendsen <yngve.svendsen@clustra.com> writes:

    YS> A properly ifdefed patch is attached below.

This one looks OK, thanks.  However I postpone its application for now,
until the password handling tool is written.

    YS> so I also added in the original line saying "TODO: log some
    YS> warning".

Right.

    YS> don't know how logging works, so I leave that to someone else to add.

To my knowledge, logging in GNATS is a total mess and it's one of the
things I'd like to get fixed before GNATS 4 is released.

Regards,

Milan Zamazal

-- 
I think any law that restricts independent use of brainpower is suspect.
                                               -- Kent Pitman in comp.lang.lisp