Re: passwd probs under FreeBSD

From: Jason Fischer (jasonf@COMPUMEDIA.COM)
Date: 08/30/97


On Tue, 26 Aug 1997, Jason Fischer wrote:

> Recently, I discovered that for almost all of our characters (any with a
> name longer than 6 characters) that you could enter any password and the
> game would let you in.  Now this confused the ever living hell out of me
> for almost 2 days.  I debugged my way through db.c, comm.c, and
> interpreter.c, but everthing seemed to be working as it should.

[snip]

> It appears that the encrypted password tacks a $1$<salt>$ before the
> actual encrypted part.

OK, I found out what was causing this.  In case anyone is running under a
BSD clone.  Apparently you have a couple of choices for encryption using
crypt.  One is good old standard DES.  This is used almost everywhere.
The other is MD5, which to my understanding (having not done much research
into the matter) is a better encryption standard.  At any rate, BSD
differentiates between a DES and MD5 encryption by the following.

If it uses DES then crypt will return a standard glut of characters.  If
it uses MD5 it will prepend the cypher with a $1$<salt>$  Where <salt> is
whatever salt you passed to crypt (up to 8 characters in length) in this
case the name of the character's password you want to check.

This will really spork how passwords are stored under circle if the box is
using MD5.  Circle only stores 10 characters (by default) for the
password.  If the character's name is or more characters in length, then
the prepended portion of an MD5 cypher will cause the strncmp to always be
true, no matter what password you enter.

Just a warning to BSD users.

--
Jason Fischer            |  Any smoothly functioning technology is
jasonf@compumedia.com    |  indistinguishable from a rigged demo.
      "In the shadow of the light from a black sun" Type O-


     +------------------------------------------------------------+
     | Ensure that you have read the CircleMUD Mailing List FAQ:  |
     | http://democracy.queensu.ca/~fletcher/Circle/list-faq.html |
     +------------------------------------------------------------+



This archive was generated by hypermail 2b30 : 12/08/00 PST