MD5->Blowfish method break openssh's authentication

Robert Connolly robert at linuxfromscratch.org
Fri Jun 22 23:48:32 PDT 2007


On Friday June 22 2007 06:06:14 pm Kevin Day wrote:
> Okay, based on your tutorials, I got myself a working machine that
> uses working blowfish passwords, without Linux-PAM installed.
>
> Tested with the following combinations gcc-3.4.6, gcc-4.1.2,
> gcc-4.2.0, uclibc-0.9.28.3, uclibc-0.9.29, and 3 different versions of
> openssh (4.4p2, 4.5p1, 4.6p1). (I hoped to rule out both the libc, the
> compiler, and openssh)

I have blowfish in glibc, and I can ssh localhost and log in. So, this looks 
like an xcrypt problem, not an openssh problem. Debian and Suse both have a 
libxcrypt package, but I can't tell for sure whether their openssh supports 
it... Debian's patch is focused on selinux, there's no "xcrypt" in their 
openssh patch. Suse's openssh-4.2p1-18.12 has "libxcrypt" in 
the "usedforbuild" line, but no patch seems to be needed. It looks like Suse 
uses libxcrypt-2.2 vanilla, without any patches against it. Without doing 
s/lcrypt/lxcrypt/ I don't think Suse is linking openssh to libxcrypt.

I don't recall ever personally using libxcrypt with openssh, but I do remember 
someone emailing me about a function name conflict (openssh also has it's own 
xcrypt() function), and they got it to work with some minor modifications.

As far as I know openssh/openssl doesn't have it's own bcrypt for decrypting 
blowfish passwords, so it would need to be linked to libxcrypt.

I'll keep thinking about it, but right now I'm at a loss for ideas.

robert
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/hlfs-dev/attachments/20070623/9ffb651e/attachment.sig>


More information about the hlfs-dev mailing list