sudo (previously PATH=/your/head/asplode)

Jonathan Oksman jonathan.oksman at gmail.com
Sat Mar 17 10:36:38 PDT 2007


On 3/17/07, Jonathan Oksman <jonathan.oksman at gmail.com> wrote:
> Perhaps either the configure option --log-fac=auth or the

*sigh* The real configure option is --with-logfac.

I'm awake now, honestly.

It should also be mentioned in the book that sudo does not support
md5 passwords natively.  I say this because I've only been able to
use it with NOPASSWD set.  Further investigation into the source
code reveals that this is indeed the case:

sudo-1.6.8p12/auth/passwd.c:
-----------------------------------
*snip to the verify function*

int
passwd_verify(pw, pass, auth)

*snip to the important part*

    /*
     * Normal UN*X password check.
     * HP-UX may add aging info (separated by a ',') at the end so
     * only compare the first DESLEN characters in that case.
     */
    epass = (char *) crypt(pass, pw->pw_passwd);
    pass[8] = sav;
    if (HAS_AGEINFO(pw->pw_passwd, pw_len) && strlen(epass) == DESLEN)
        error = strncmp(pw->pw_passwd, epass, DESLEN);
    else
        error = strcmp(pw->pw_passwd, epass);

    return(error ? AUTH_FAILURE : AUTH_SUCCESS);
------------------------------------

As you can see it only allows authentication versus crypt().
Considering an LFS system is built to store passwords via MD5, this
explains why I am unable to sudo without NOPASSWD.

I'm certain that this restriction will no longer apply if compiled
against PAM, I'll post back with the results.  If all works well,
perhaps PAM could be listed as a Recommended prerequisite to sudo.

One more thing, it looks like sudo can support Kerberos 4/5 directly,
although I haven't even tried Kerb support yet so I can't vouch for it.



More information about the blfs-dev mailing list