passwd()/crypt() emulation incorrect
Dave Jones
JONESD at er6s1.eng.ohio-state.edu
Mon Mar 3 17:50:01 GMT 2003
The way the samba port emulates passwd()/crypt() functionality against the
SYSUAF is wrong, you can't simply return a pointer to the VMS password
hash quadword as the passwd string. In traditional UNIX, the passwd()
function returns a pointer to a null-terminated encoding of the password
hash, the first 2 bytes of which are a 'salt' value. The crypt() function
takes the salt value and a candidate plain-text password to generate another
encoded string for comparsion (using strcmp()) with the original encoded
passwd string. The raw binary string returned by the emulation routines
can yield false positives if the hash has embedded zeros due to samba's
use of strcmp() for the comparison.
I did a scan of my system's SYSUAF and 2.6% of the hashes have a zero
before the eighth byte. The earlier in the quadword the zero occurs,
the more potential for false password matches.
I placed a pwd.c in http://www.er6.eng.ohio-state.edu/~jonesd/samba/pwd.zip
that returns valid ASCIZ strings for the passwd and crypt functions.
The string encodes an extended salt so you don't have to assume the
crypt() call refers to the most recent data returned by passwd().
------------------------------------------------------------------------------
David L. Jones | Phone: (614) 292-6929
Ohio State University | Internet:
140 W. 19th St. Rm. 231a | jonesd at er6s1.eng.ohio-state.edu
Columbus, OH 43210 | vman+ at osu.edu
Disclaimer: I'm looking for marbles all day long.
More information about the samba-vms
mailing list