Bug 13047

Summary: crypt() with 2 char salt is not returning 13 character backwards compatible strings
Product: Base System Reporter: smkelly <smkelly>
Component: miscAssignee: freebsd-bugs (Nobody) <bugs>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 3.2-STABLE   
Hardware: Any   
OS: Any   

Description smkelly 1999-08-09 22:50:01 UTC 
	The libcrypt.so.2 library contains the crypt() function.
	Other implimentations only support a format with a two
	character salt which generates a 13 character password.
	The FreeBSD crypt(3) manpage says that there is backward
	compatibility for such things if the 'setting' (second
	argument passed to crypt()) is just two characters.
	However, I am getting >13 character passwords even by
	using the compatible mode that the manpage described.
	This breaks some programs such as Internet Relay Chat
	Daemons that use crypted passwords on many platforms.

Fix: 

In the example, the Compat: should read '42RsTfgD2n9Gs'.
	Libcrypt needs to be fixed so it is backward compatible again.
How-To-Repeat: 
	(1) smkelly@area51:~$ cat <<EOF >crypt.c
	> #include <stdio.h>
	> #include <unistd.h>
	> int main()
	> {
	> printf("Compat: %s\n", crypt("FreeBSD", "42"));
	> printf("Incompat: %s\n", crypt("FreeBSD", "_DEADBEEF"));
	> return 0;
	> }
	> EOF
	(2) smkelly@area51:~$ gcc -o crypt crypt.c -lcrypt
	(3) smkelly@area51:~$ ./crypt
	Compat: $1$42$2kP4RJzDJDeJaNnfz6kAD1
	Incompat: $1$_DEADBEE$qewOsrc1LJwwvGy7HmsLp0
Comment 1 Danny J. Zerkel 1999-08-10 03:10:25 UTC 
Looks like compatibility has been gone since 1994...

-- Danny J. Zerkel
"Sursum ad Absurdum"
Comment 2 chris 1999-08-10 06:10:25 UTC 
On Mon, Aug 09, 1999, smkelly@slashnet.org wrote:
> 	(2) smkelly@area51:~$ gcc -o crypt crypt.c -lcrypt
> 	(3) smkelly@area51:~$ ./crypt
> 	Compat: $1$42$2kP4RJzDJDeJaNnfz6kAD1
> 	Incompat: $1$_DEADBEE$qewOsrc1LJwwvGy7HmsLp0
> 
> 
> >Fix:
> 	
> 	In the example, the Compat: should read '42RsTfgD2n9Gs'.
> 	Libcrypt needs to be fixed so it is backward compatible again.

   No, libcrypt is linked to libscrypt on your system
(obviously), and libscrypt will not create those style passwords
-- they are MD5-based only.

-- 
|Chris Costello <chris@calldei.com>
|I haven't lost my mind; it's backed up on tape somewhere.
`---------------------------------------------------------
Comment 3 des 1999-08-11 08:58:47 UTC 
smkelly@slashnet.org writes:
> 	However, I am getting >13 character passwords even by
> 	using the compatible mode that the manpage described.
> 	This breaks some programs such as Internet Relay Chat
> 	Daemons that use crypted passwords on many platforms.

You didn't install the DES library. The 13-character hashes you
describe are DES hashes, which are supported by the optional DES
library.

DES (the hacker, not the hash)
-- 
Dag-Erling Smorgrav - des@flood.ping.uio.no
Comment 4 chris freebsd_committer freebsd_triage 1999-08-13 04:47:28 UTC 
State Changed
From-To: open->closed

Originator confirms his problem has been fixed.