[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: cvs pserver authorization failed
|
From: |
Larry Jones |
|
Subject: |
Re: cvs pserver authorization failed |
|
Date: |
Wed, 21 Nov 2001 02:26:53 -0500 (EST) |
James Garrison writes:
>
> Here are some example lines from /var/log/secure (SYSLOG/AUTHPRIV)
> for previously failed login attempts.
[...]
> The string after the / which I assume is supposed to be the obfuscated
> password, doesn't match what's in the protocol stream:
It's supposed to be the UNobfuscated password, which is why it's logged
in AUTHPRIV, but there was a bug in the code. You might want to try
applying the appended patch and trying it again. If you're using MD5
passwords and you're using a pre-built CVS, it may be that it wasn't
linked against an MD5-enabled libc.
Index: server.c
===================================================================
RCS file: /cvs/ccvs/src/server.c,v
retrieving revision 1.264
retrieving revision 1.265
diff -u -r1.264 -r1.265
--- server.c 21 Jun 2001 21:23:09 -0000 1.264
+++ server.c 26 Jun 2001 20:09:42 -0000 1.265
@@ -5795,8 +5795,6 @@
/* We need the real cleartext before we hash it. */
descrambled_password = descramble (password);
host_user = check_password (username, descrambled_password, repository);
- memset (descrambled_password, 0, strlen (descrambled_password));
- free (descrambled_password);
if (host_user == NULL)
{
#ifdef HAVE_SYSLOG_H
@@ -5806,6 +5804,8 @@
username, descrambled_password, repository);
#endif
#endif
+ memset (descrambled_password, 0, strlen (descrambled_password));
+ free (descrambled_password);
i_hate_you:
printf ("I HATE YOU\n");
fflush (stdout);
@@ -5814,6 +5814,8 @@
yet. */
error_exit ();
}
+ memset (descrambled_password, 0, strlen (descrambled_password));
+ free (descrambled_password);
/* Don't go any farther if we're just responding to "cvs login". */
if (verify_and_exit)
-Larry Jones
Fortunately, that was our plan from the start. -- Calvin