help-gnats
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Patch: Fix user authentication + MKDB

From: Lars Henriksen
Subject: Re: Patch: Fix user authentication + MKDB
Date: Sun, 29 Sep 2002 11:40:01 +0200
User-agent: Mutt/1.4i 
On Fri, Sep 27, 2002 at 02:59:28PM -0700, Pankaj K Garg wrote:
> >...
> > I've spotted one difference in behaviour: gnatsd no longer seems to
> > remember the user when you switch between databases (it still 
> > remembers
> 
> OOpss...yes, this should not have happened. There was a problem with
> the way I was handling NULL usernames and passwords.
> 
> Should be fixed in the attached patch.

It is! I believe your patch is OK now as far as plaintext/no password
is concerned. Apart from making the password checking work, this is a
convenient improvement.

But as for DES/MD5 I believe the original code is correct:

  else
    {
      /* DES crypt or MD5 hash of the password */
#ifdef HAVE_LIBCRYPT
      char *encrypted = crypt (password, hash);
      return encrypted && ! strcmp (encrypted, hash);
#else
      /* TODO: log some warning */
      return FALSE;
#endif
    }

It is for crypt() to decide the form of password encryption based on
the contents of hash: if hash begins with $1$ it will use MD5, if it
doesn't begin with $<digit>$ it will use DES. The return value of
crypt() is similarly adjusted with a starting $1$ for MD5. This assumes
an MD5-supporting crypt(3) (e.g. FreeBSD or GNU). With a traditional
Unix crypt() function you will of course get DES encryption.

Regards
Lars Henriksen
reply via email to
[Prev in Thread] Current Thread [Next in Thread]