Re: getpwnam with md5 encrypted passwds

2003-11-27 Thread Terry Lambert 
Clifton Royston wrote:
   If you will need to do authentication after your program drops
 privileges, your best course is probably to go through PAM, to install
 a separate daemon which implements a PAM-supported protocol and which
 runs with privileges, and then to enable that protocol as a PAM
 authentication method for your application.

[ ... RADIUS example with LDAP mention ... ]

Sounds like a good approach, though I'll point out that had
you tried LDP, you would have been hard-put to use LDAP as a
proxy protocol to another authentication base (a PAM backend
for an LDAP server, while not quite impossible, would be very
hard).

How did you avoid the recursion problem of the RADIUS server
trying to authenticate via pam_radius to the RADIUS server
tyring to authenticate ...

-- Terry?


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: getpwnam with md5 encrypted passwds

2003-11-27 Thread Terry Lambert 
Peter Pentchev wrote:
 On Wed, Nov 26, 2003 at 02:21:04PM +0100, Kai Mosebach wrote:
  Looks interesting ... is this method also usable, when i dropped my privs ?
 
 I think Terry meant pam_authenticate() (not pan), but to answer your
 question: no, when you drop your privileges, you do not have access to
 at least the system's password database (/etc/spwd.db, generated from
 /etc/passwd and /etc/master.passwd by pwd_mkdb(8)).  If this will be any
 consolation, getpwnam() won't return a password field when you have
 dropped root privileges either.

Peter is correct on both counts.  If I had not sen his reply
first, I would have made the same reply.  You cannot crypt
something you cannot read.

-- Terry


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: getpwnam with md5 encrypted passwds

2003-11-27 Thread Clifton Royston 
On Wed, Nov 26, 2003 at 11:10:01PM -0800, Terry Lambert wrote:
 Clifton Royston wrote:
If you will need to do authentication after your program drops
  privileges, your best course is probably to go through PAM, to install
  a separate daemon which implements a PAM-supported protocol and which
  runs with privileges, and then to enable that protocol as a PAM
  authentication method for your application.
 
 [ ... RADIUS example with LDAP mention ... ]
 
 Sounds like a good approach, though I'll point out that had
 you tried LDP, you would have been hard-put to use LDAP as a
 proxy protocol to another authentication base (a PAM backend
 for an LDAP server, while not quite impossible, would be very
 hard).
 
Glad I went with my gut feeling rather than wasting a lot of time
looking into it then...

 How did you avoid the recursion problem of the RADIUS server
 trying to authenticate via pam_radius to the RADIUS server
 tyring to authenticate ...

That is avoided two ways, either of which would do to prevent the
deadly recursion.  

First the RADIUS server (FreeRadius) is currently set up to implement
Unix auth directly against spwd.db, not via PAM.  Second, it's not
enabled as the default PAM authentication method for all applications,
only for some specific application tokens.

We have an intention to add to the application auth against some
separate non-password db files, followed by OTP support down the road. 
Hopefully as it uses PAM both should now be relatively easy.
  -- Clifton

-- 
  Clifton Royston  --  [EMAIL PROTECTED] 
 Tiki Technologies Lead Programmer/Software Architect
Did you ever fly a kite in bed?  Did you ever walk with ten cats on your head?
  Did you ever milk this kind of cow?  Well we can do it.  We know how.
If you never did, you should.  These things are fun, and fun is good.
 -- Dr. Seuss
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: getpwnam with md5 encrypted passwds

2003-11-26 Thread [EMAIL PROTECTED] 
Zitat von Q [EMAIL PROTECTED]:

This was a stupid mistake ! 

Thanks 

 Change your crypt line to:
 
 if (!strcmp( crypt(pass,pwd-pw_passwd), pwd-pw_passwd) ) {
 
 Seeya...Q
 
 On Wed, 2003-11-26 at 11:30, [EMAIL PROTECTED] wrote:
 
  Hi,
  
  i am trying to validate a given user password against my local passwd-file
 with 
  this piece of code :
  
  if (!( pwd = getpwnam ( user ))) {
  log(ERROR,User %s not known,user);
  stat=NOUSER;
  }
  if (!strcmp( crypt(pass,pwd-pw_name), pwd-pw_passwd) ) {
  log(DEBUG|MISC,HURRAY : %s authenticated\n, user);
  stat = AUTHED;
  }
  
  The problem is, that my passwords are encrypted in md5-format, so the
 strcmp 
  fails always. Now i did not find any usable information on how to work this
 out 
  on FreeBSD, and how to be independent from the settings in the login-conf ?
 
  (that i dont have to check whether its using crypt,md5 or blowfish)
  
  The code should be running on 4.x and 5.x
  
  Any ideas ?
  
  Kind regards 
  
  Kai
  ___
  [EMAIL PROTECTED] mailing list
  http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
  To unsubscribe, send any mail to [EMAIL PROTECTED]
 



___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: getpwnam with md5 encrypted passwds

2003-11-26 Thread Terry Lambert 
[EMAIL PROTECTED] wrote:
 i am trying to validate a given user password against my local passwd-file with
 this piece of code :
 
 if (!( pwd = getpwnam ( user ))) {
 log(ERROR,User %s not known,user);
 stat=NOUSER;
 }
 if (!strcmp( crypt(pass,pwd-pw_name), pwd-pw_passwd) ) {
 log(DEBUG|MISC,HURRAY : %s authenticated\n, user);
 stat = AUTHED;
 }

I know you have the fix for the crypt of the wrong field, but the
proper thing to do is probably to use pan_authenticate() so that
you are insensitive to the athentication method being used, rather
than crypting and comparing it yourself.

-- Terry
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: getpwnam with md5 encrypted passwds

2003-11-26 Thread Peter Pentchev 
On Wed, Nov 26, 2003 at 02:21:04PM +0100, Kai Mosebach wrote:
  -Urspr?ngliche Nachricht-
  Von: Terry Lambert [mailto:[EMAIL PROTECTED]
  Gesendet: Mittwoch, 26. November 2003 13:34
  An: [EMAIL PROTECTED]
  Cc: [EMAIL PROTECTED]
  Betreff: Re: getpwnam with md5 encrypted passwds
  
  [EMAIL PROTECTED] wrote:
   i am trying to validate a given user password against my local passwd-
  file with
   this piece of code :
  
   if (!( pwd = getpwnam ( user ))) {
   log(ERROR,User %s not known,user);
   stat=NOUSER;
   }
   if (!strcmp( crypt(pass,pwd-pw_name), pwd-pw_passwd) ) {
   log(DEBUG|MISC,HURRAY : %s authenticated\n, user);
   stat = AUTHED;
   }
  
  I know you have the fix for the crypt of the wrong field, but the
  proper thing to do is probably to use pan_authenticate() so that
  you are insensitive to the athentication method being used, rather
  than crypting and comparing it yourself.
  
 
 Looks interesting ... is this method also usable, when i dropped my privs ?

I think Terry meant pam_authenticate() (not pan), but to answer your
question: no, when you drop your privileges, you do not have access to
at least the system's password database (/etc/spwd.db, generated from
/etc/passwd and /etc/master.passwd by pwd_mkdb(8)).  If this will be any
consolation, getpwnam() won't return a password field when you have
dropped root privileges either.

G'luck,
Peter

-- 
Peter Pentchev  [EMAIL PROTECTED][EMAIL PROTECTED][EMAIL PROTECTED]
PGP key:http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
This sentence contains exactly threee erors.


pgp0.pgp
Description: PGP signature

Re: getpwnam with md5 encrypted passwds

2003-11-26 Thread Tim Kientzle 
[EMAIL PROTECTED] wrote:
Hi,

i am trying to validate a given user password against my local passwd-file with 
this piece of code :

if (!strcmp( crypt(pass,pwd-pw_name), pwd-pw_passwd) ) {
The second argument to crypt here should be pwd-pw_passwd.
Otherwise, this doesn't work even with DES-encrypted passwords.
The first part of any encrypted password is the 'salt', which
effectively indicates how that password is encrypted.
You need to give the encrypted password to crypt so it
knows which encryption to use for the plaintext.
Tim Kientzle



___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: getpwnam with md5 encrypted passwds

2003-11-26 Thread Clifton Royston 
On Wed, Nov 26, 2003 at 12:01:01PM -0800, [EMAIL PROTECTED] wrote:
 Date: Wed, 26 Nov 2003 16:05:30 +0200
 From: Peter Pentchev [EMAIL PROTECTED]
 Subject: Re: getpwnam with md5 encrypted passwds
 To: Kai Mosebach [EMAIL PROTECTED]
 Cc: [EMAIL PROTECTED]
 Message-ID: [EMAIL PROTECTED]
 Content-Type: text/plain; charset=windows-1251
 
 On Wed, Nov 26, 2003 at 02:21:04PM +0100, Kai Mosebach wrote:
   -Urspr?ngliche Nachricht-
   Von: Terry Lambert [mailto:[EMAIL PROTECTED]
   Gesendet: Mittwoch, 26. November 2003 13:34
   An: [EMAIL PROTECTED]
   Cc: [EMAIL PROTECTED]
   Betreff: Re: getpwnam with md5 encrypted passwds
   
   [EMAIL PROTECTED] wrote:
i am trying to validate a given user password against my local passwd-
   file with
this piece of code :
...
   I know you have the fix for the crypt of the wrong field, but the
   proper thing to do is probably to use pan_authenticate() so that
   you are insensitive to the athentication method being used, rather
   than crypting and comparing it yourself.
  
  Looks interesting ... is this method also usable, when i dropped my privs ?
 
 I think Terry meant pam_authenticate() (not pan), but to answer your
 question: no, when you drop your privileges, you do not have access to
 at least the system's password database (/etc/spwd.db, generated from
 /etc/passwd and /etc/master.passwd by pwd_mkdb(8)).  If this will be any
 consolation, getpwnam() won't return a password field when you have
 dropped root privileges either.

  If you will need to do authentication after your program drops
privileges, your best course is probably to go through PAM, to install
a separate daemon which implements a PAM-supported protocol and which
runs with privileges, and then to enable that protocol as a PAM
authentication method for your application.
 
  For example, you can install a RADIUS server bound to localhost which
runs as root and authenticates against the master password file. 
Configure the necessary /etc files for pam_radius as described in its
man pages, and then add pam_radius as an authentication method in
/etc/pam.conf for your application.  Now you do need to make your
application go through the PITA required to be a PAM client, but it can
at least authenticate without needing root privileges itself.  I
implemented this pretty recently, so I know the approach works, even if
it may seem rather roundabout.  (LDAP would be another PAM-supported
option, but RADIUS seemed simpler to set up in a hurry.)

  -- Clifton

-- 
  Clifton Royston  --  [EMAIL PROTECTED] 
 Tiki Technologies Lead Programmer/Software Architect
Did you ever fly a kite in bed?  Did you ever walk with ten cats on your head?
  Did you ever milk this kind of cow?  Well we can do it.  We know how.
If you never did, you should.  These things are fun, and fun is good.
 -- Dr. Seuss
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to [EMAIL PROTECTED]