help-gnats
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH]: GNATS 3 encrypted passwords

From: Yngve Svendsen
Subject: [PATCH]: GNATS 3 encrypted passwords
Date: Fri, 12 Oct 2001 20:09:04 +0200
The following patch provides encrypted password support in GNATS 3's gnatsd.access file. It should apply cleanly to GNATS 3.113, 3.113.1 and to the latest v3 CVS. This is a simple backport of similar functionality introduced in GNATS 4.
This is a quick-and-dirty modification. Most importantly, it will not compile on systems without crypt support, although there aren't many of those. On systems that support both MD5 and DES (traditional crypt) encryption, this modification provides support for both kinds of passwords..
In gnatsd.access, a password prefixed by $0$ is assumed to be plaintext, and a $1$ prefix denotes an MD5 password. If a password has no prefix, it is assumed to be an ordinary UNIX crypt password. This provides for easy synchronization of GNATS and standard UNIX passwords, admins can simply copy password hashes from the system password file.
Sites that have existing gnatsd.access files with plaintext passwords in them either need to prefix existing passwords with $0$ or convert the passwords to crypt or MD5.
One final gotcha: This has only been tested on Solaris 8, so your mileage may vary. 

Yngve Svendsen



Index: gnatsd.c
===================================================================
RCS file: /cvs/gnats/gnats/gnats/gnatsd.c,v
retrieving revision 1.1.1.2.4.1
diff -u -p -r1.1.1.2.4.1 gnatsd.c
--- gnatsd.c    1999/09/21 23:18:39     1.1.1.2.4.1
+++ gnatsd.c    2001/10/12 17:37:52
@@ -221,6 +221,29 @@ match (line, p, matchcase)
     return 1;
 }

+/* Return true iff `password' matches `hash'.
+ `hash' is a possibly encrypted password, according to the $?$ convention. */ 
+static int
+password_match (password, hash)
+     char *password;
+     char *hash;
+{
+  char *encrypted;
+  if (! strncmp (hash, "$0$", 3))
+    {
+      /* explicit plain-text password */
+      return ! strcmp (password, hash+3);
+    }
+  else
+    {
+      /* DES or MD5 password. If crypt supports MD5, it uses MD5 when
+         the salt starts with $1$. If there's no prefix standard DES
+         is assumed */
+      encrypted = (char *)crypt (password, hash);
+      return encrypted && ! strcmp (encrypted, hash);
+    }
+}
+
 char *
 get_name (host)
      struct in_addr *host;
@@ -439,7 +462,7 @@ get_user_access (database, filename, use
        continue;

       /* check passwd */
-      if (!match (passwd, fields[1], 1))
+      if (!password_match (passwd, fields[1]))
         {
           access = ACCESS_NONE;
           break;
reply via email to
[Prev in Thread] Current Thread [Next in Thread]