James Garrison writes: > > Here are some example lines from /var/log/secure (SYSLOG/AUTHPRIV) > for previously failed login attempts. [...] > The string after the / which I assume is supposed to be the obfuscated > password, doesn't match what's in the protocol stream:
It's supposed to be the UNobfuscated password, which is why it's logged in AUTHPRIV, but there was a bug in the code. You might want to try applying the appended patch and trying it again. If you're using MD5 passwords and you're using a pre-built CVS, it may be that it wasn't linked against an MD5-enabled libc. Index: server.c =================================================================== RCS file: /cvs/ccvs/src/server.c,v retrieving revision 1.264 retrieving revision 1.265 diff -u -r1.264 -r1.265 --- server.c 21 Jun 2001 21:23:09 -0000 1.264 +++ server.c 26 Jun 2001 20:09:42 -0000 1.265 @@ -5795,8 +5795,6 @@ /* We need the real cleartext before we hash it. */ descrambled_password = descramble (password); host_user = check_password (username, descrambled_password, repository); - memset (descrambled_password, 0, strlen (descrambled_password)); - free (descrambled_password); if (host_user == NULL) { #ifdef HAVE_SYSLOG_H @@ -5806,6 +5804,8 @@ username, descrambled_password, repository); #endif #endif + memset (descrambled_password, 0, strlen (descrambled_password)); + free (descrambled_password); i_hate_you: printf ("I HATE YOU\n"); fflush (stdout); @@ -5814,6 +5814,8 @@ yet. */ error_exit (); } + memset (descrambled_password, 0, strlen (descrambled_password)); + free (descrambled_password); /* Don't go any farther if we're just responding to "cvs login". */ if (verify_and_exit) -Larry Jones Fortunately, that was our plan from the start. -- Calvin _______________________________________________ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs