Re: DANGER: login and friends with libscrypt/libdescrypt

1999-09-21 Thread Brian Somers

 I've just been bitten by the following, so I figured I might as
 well warn others. From a quick glance it doesn't seem to have been
 mentioned, or not clearly enough, in this list.

Too late drat !  But xdm saves the day !

[.]
 -- 
 Pierre Beyssac[EMAIL PROTECTED]

-- 
Brian [EMAIL PROTECTED][EMAIL PROTECTED]
  http://www.Awfulhak.org   [EMAIL PROTECTED]
Don't _EVER_ lose your sense of humour !  [EMAIL PROTECTED]




To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message



Re: DANGER: login and friends with libscrypt/libdescrypt

1999-09-21 Thread Pierre Beyssac

On Tue, Sep 21, 1999 at 08:29:26AM +0200, Mark Murray wrote:
  - /usr/bin/login and friends are now linked against libscrypt
instead of libcrypt.
 
 This is a link bug. The Makefile says "-lcrypt". JDP?

Then there's the problem that libcrypto.so.3 won't magically be a
link to a working libdescrypt.so.3 if the latter doesn't exist,
especially if you don't have crypto sources.

Then, the fact that login SIGSEV's in strcmp from inside PAM doesn't
look very normal to me either. I suppose there's an error check
missing somewhere when the libscrypt is called while you use DES
passwords.

(gdb) where
#0  0x280d0cf4 in strcmp () from /usr/lib/libc.so.3
#1  0x28115365 in pam_sm_authenticate () from /usr/lib/pam_unix.so
#2  0x280754b9 in pam_getenvlist () from /usr/lib/libpam.so.1
#3  0x2807577d in _pam_dispatch () from /usr/lib/libpam.so.1
#4  0x28074b37 in pam_authenticate () from /usr/lib/libpam.so.1
#5  0x804a88a in setlogin ()
#6  0x8049c3a in setlogin ()
#7  0x804986d in setlogin ()
-- 
Pierre Beyssac  [EMAIL PROTECTED]


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message



Re: DANGER: login and friends with libscrypt/libdescrypt

1999-09-21 Thread Peter Wemm

Mark Murray wrote:
  - /usr/bin/login and friends are now linked against libscrypt
instead of libcrypt.
 
 This is a link bug. The Makefile says "-lcrypt". JDP?

Umm...

Previously there was:

.if ${OBJFORMAT} == elf
SONAME= ${LCRYPTBASE}.so.${SHLIB_MAJOR}
.endif

This appears to have been lost.

# objdump --all-headers /usr/lib/libscrypt.so.2
...
Dynamic Section:
  SONAME  libcrypt.so.2
  ^
  INIT0x354

Since somebody has deleted the SONAME override, the various libXcrypt files
have their own soname and the symlink redirection doesn't work as the
program gets compiled specifically to use the SONAME of the link-time
targets.

Cheers,
-Peter
--
Peter Wemm - [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]



To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message



Re: DANGER: login and friends with libscrypt/libdescrypt

1999-09-21 Thread Mark Murray

 This appears to have been lost.

Hmm. I might be the culprit. Fixing now...

M
--
Mark Murray
Join the anti-SPAM movement: http://www.cauce.org


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message



Re: DANGER: login and friends with libscrypt/libdescrypt

1999-09-21 Thread Pierre Beyssac

On Tue, Sep 21, 1999 at 07:51:18PM +0200, Mark Murray wrote:
  This appears to have been lost.
 Hmm. I might be the culprit. Fixing now...

Uh, this seems to have been fixed by Peter a moment ago.

Now the only thing that I'd like to know is: where do I get the
current CVS sources for libdescrypt, so that this doesn't prevent
me from logging-in next time?

peter   1999/09/21 07:44:28 PDT 

  Modified files:   
lib/libcrypt Makefile   
  Log:  
  Somebody deleted the SONAME override causing the symlink to be expanded   
  at link time and the target name compiled into the binaries.  ie: 
  everything used libscrypt or libdescrypt explicitly.  

  Revision  ChangesPath 
  1.21  +5 -1  src/lib/libcrypt/Makefile

peter   1999/09/21 07:47:37 PDT 

  Modified files:   
secure/lib/libcrypt  Makefile   
  Log:  
  Restore SONAME setting, otherwise libdescrypt.so.3 doesn't end up with
  a special SONAME of libcrypt.so.3 and the runtime symlink doesn't work.   

  Revision  ChangesPath
  1.19  +5 -1  src/secure/lib/libcrypt/Makefile 

-- 
Pierre Beyssac  [EMAIL PROTECTED]


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message



Re: DANGER: login and friends with libscrypt/libdescrypt

1999-09-21 Thread Mark Murray

 Now the only thing that I'd like to know is: where do I get the
 current CVS sources for libdescrypt, so that this doesn't prevent
 me from logging-in next time?

Usual places? It is in Internat as well.

M
--
Mark Murray
Join the anti-SPAM movement: http://www.cauce.org


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message



Re: DANGER: login and friends with libscrypt/libdescrypt

1999-09-21 Thread Pierre Beyssac

On Tue, Sep 21, 1999 at 08:09:02PM +0200, Mark Murray wrote:
 Usual places? It is in Internat as well.

Yes, my question was more or less _where_ are the usual places :-)
because internat.freebsd.org is apparently down at the moment.

I finally got it from:
ftp://ctm.freebsd.org/pub/FreeBSD/development/CTM-international/int-cvs-cur/
-- 
Pierre Beyssac  [EMAIL PROTECTED]


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message



Re: DANGER: login and friends with libscrypt/libdescrypt

1999-09-21 Thread Pierre Beyssac

On Tue, Sep 21, 1999 at 08:59:42PM +0200, John Hay wrote:
 Can you explain a bit more what "apparently down" mean please?

I didn't manage to connect on it by ftp when I sent the previous
message. Apparently I haven't waited long enough: connectivity
between France and this machine is just dreadfully slow. That's
why I tried ping which makes checking easier than FTP, but I didn't
know ping is filtered for this machine.

 It seems up to me. I'm logged in on it at the moment and did an

It's up for me too now, but it's extremely sloow. I get FTP
timeouts 3 times out of 4.
-- 
Pierre Beyssac  [EMAIL PROTECTED]


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message



DANGER: login and friends with libscrypt/libdescrypt

1999-09-20 Thread Pierre Beyssac

I've just been bitten by the following, so I figured I might as
well warn others. From a quick glance it doesn't seem to have been
mentioned, or not clearly enough, in this list.

- libscrypt/libdescrypt major number has been
  bumped a few days ago.
- /usr/bin/login and friends are now linked against libscrypt
  instead of libcrypt.

The bottom line is, if:

- you don't have crypto sources on your machine
- you were using a symbolic link from libcrypt* to
  libscrypt*/libdescrypt*
- you used that to link to an old libdes binary

then ***test*** your compiled login binary before you reinstall
everything.

Thanksfully I kept an older -current on another machine from which
I could find a working copy of login, which saved me from totally
ruining my night.

But I'll be sure to install complete crypto sources first thing
tomorrow morning on my machines.
-- 
Pierre Beyssac  [EMAIL PROTECTED]


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message



Re: DANGER: login and friends with libscrypt/libdescrypt

1999-09-20 Thread Mark Murray

   - /usr/bin/login and friends are now linked against libscrypt
 instead of libcrypt.

This is a link bug. The Makefile says "-lcrypt". JDP?
i
M
--
Mark Murray
Join the anti-SPAM movement: http://www.cauce.org


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message