No subject

Tue Nov 29 10:43:08 WST 2011

of 13 printable ASCII characters .."), I'd say that the current system is
using the system's crypt() routine by default and the old system was at one
stage using the same and then changed to the alternative 3DES encryption.
It also means that changing to MD5 or SHA isn't the answer. What a mess :(

<snip assuming MD5 - which it's not>

> The only real solution would be to configure the new system to use the
> older DES-based crypt().  This means that user passwords on the system
> will be restricted to 8 characters or less and will be slightly easier
> to break using a dictionary attack.  Otherwise it should be business as
> usual.  You can change the system's crypt() algorithm either by editing
> /etc/login.defs and disabling MD5_CRYPT_ENAB or editing /etc/pam.d/login
> and removing the reference to 'md5' in the password entry.

Hmm .. well, there's no references in /etc/login.defs appropriate, and
/etc/pam.d/login seems to externalize the authentication config to
/etc/pam.d/system-auth.
Here are the two files :

[root /etc/pam.d]#cat login
#%PAM-1.0
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_console.so

[root /etc/pam.d]#cat system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        sufficient    /lib/security/pam_unix.so likeauth nullok md5
shadow
auth        required      /lib/security/pam_deny.so
account     sufficient    /lib/security/pam_unix.so
account     required      /lib/security/pam_deny.so
password    required      /lib/security/pam_cracklib.so retry=3
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5
shadow
password    required      /lib/security/pam_deny.so
session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so

The authconfig(8) manpage doesn't mention anything about config of crypt(),
just the system-level authorization config.  I'm confused over whether this
is relevant or not (?)

> Of course, it could easily be something completely different...  I'm
> assuming you've checked other things like the versions of the server
> software etc.  Also, try adding a new user to your htpasswd file and see
> if you can log in as this user.  Also, compare the first part of the
> password hash for the new user against the older users.  For memory the
> part of the hash between the $'s identifies the hashing algorithm used.

If I add a new user to this htpasswd file, they authorize correctly - ie.
correct password allows, incorrect password fails.

So what I think I need is the same version of crypt() (or compile apache
with this mechabism) that is configurable to generate 24-character encrypted
password strings instead of the 13-character that it currently is.

I have alooked through all the compile options in apache and can't find
anything related to this apart from switching to MD5 - which is not a
solution.

Can anyone help me further?

- Brian.