bug-cvs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pserver login fails on 9 char passwords

From: Mäkeläinen Juha
Subject: pserver login fails on 9 char passwords
Date: Mon, 29 Mar 2004 09:25:33 +0300 
Resending a lost bug report:

-----Original-----
Sender: Mäkeläinen Juha 
Sent: 15 Jan 2004 14:04
Reciever: 'bug-cvs@gnu.org'
Subject: pserver login fails on 9 char passwords


This problem was found when using cvs-1.11.11 server on HP-UX and wincvs 
client. 

If user password is 9 chars long, the crypted password from client is 13 
characters but password got from HP-UX secure password system is 24 characters. 
The server.c module can not handle that.

Login fails and wincvs client says:

cvs -d :pserver:u123456@our-host.fi:/cvs/fdits login 
Logging in to :pserver:u123456@our-host.fi:2401:/cvs/fdits
cvs [login aborted]: authorization failed: server our-host.fi rejected access 
to /cvs/fdits for user u123456

Server (HP-UX B.11.11 U 9000/800) syslog.log message:

Jan 13 09:54:54 our-host syslog: login failure (for /cvs/fdits) Jan 13 09:56:16 
our-host syslog: password mismatch for u543251: F0sPYT3vo0Gmc vs. 
F0sPYT3vo0GmcT.Z51tttO6Q


I have used pre-compiled versions like cvs-1.11.8 and also compiled my own 
cvs-1.11.11 using these options:

CFLAGS="-g +DAportable -DLOG_AUTHPRIV" ./configure \
                --without-gssapi --enable-server-flow-control

(In this system HAVE_GETSPNAM is defined.)


This is my temprary workaround to cvs-1.11.11, which seems to work:

$ LC_ALL=C diff -c server.c.orig server.c                                       
      
*** server.c.orig       Thu Dec 18 19:59:46 2003
--- server.c    Wed Jan 14 15:42:50 2004
***************
*** 5508,5514 ****
--- 5508,5526 ----
      if (*found_passwd)
      {
        /* user exists and has a password */
+ #ifdef FD_JM_20040114
+       /* In HP-UX B.11.11 found_passwd is occasionally longer
+        * than crypted passwd here (24 compared to 13 bytes).
+        * This happened when the user password length is 9 characters.
+        * FIXME - Our workaround is based on my belief that crypted
+        * password is never very short. Is it true?
+        * Now we compare only by the common part of both strings.
+        */
+       char *crypt_passwd = crypt (password, found_passwd);
+       if (strncmp (found_passwd, crypt_passwd, strlen (crypt_passwd))
+ == 0) #else
        if (strcmp (found_passwd, crypt (password, found_passwd)) == 0)
+ #endif
        {
            host_user = xstrdup (username);
        }


--
        Juha Mäkeläinen / Systems Specialist
    FD Finanssidata Oy / P.O. Box 308 / FIN-00101 Helsinki
       juha.makelainen@osuuspankki.fi
  t. +358-9-404 3075 / +358-40 715 5151 / fax +358-9-404 3007
reply via email to
[Prev in Thread] Current Thread [Next in Thread]