The way the samba port emulates passwd()/crypt() functionality against the SYSUAF is wrong, you can't simply return a pointer to the VMS password hash quadword as the passwd string. In traditional UNIX, the passwd() function returns a pointer to a null-terminated encoding of the password hash, the first 2 bytes of which are a 'salt' value. The crypt() function takes the salt value and a candidate plain-text password to generate another encoded string for comparsion (using strcmp()) with the original encoded passwd string. The raw binary string returned by the emulation routines can yield false positives if the hash has embedded zeros due to samba's use of strcmp() for the comparison.
I did a scan of my system's SYSUAF and 2.6% of the hashes have a zero before the eighth byte. The earlier in the quadword the zero occurs, the more potential for false password matches. I placed a pwd.c in http://www.er6.eng.ohio-state.edu/~jonesd/samba/pwd.zip that returns valid ASCIZ strings for the passwd and crypt functions. The string encodes an extended salt so you don't have to assume the crypt() call refers to the most recent data returned by passwd(). ------------------------------------------------------------------------------ David L. Jones | Phone: (614) 292-6929 Ohio State University | Internet: 140 W. 19th St. Rm. 231a | [EMAIL PROTECTED] Columbus, OH 43210 | [EMAIL PROTECTED] Disclaimer: I'm looking for marbles all day long. PLEASE READ THIS IMPORTANT ETIQUETTE MESSAGE BEFORE POSTING: http://www.catb.org/~esr/faqs/smart-questions.html
