MD5->Blowfish method break openssh's authentication
robert at linuxfromscratch.org
Fri Jun 22 23:48:32 PDT 2007
On Friday June 22 2007 06:06:14 pm Kevin Day wrote:
> Okay, based on your tutorials, I got myself a working machine that
> uses working blowfish passwords, without Linux-PAM installed.
> Tested with the following combinations gcc-3.4.6, gcc-4.1.2,
> gcc-4.2.0, uclibc-0.9.28.3, uclibc-0.9.29, and 3 different versions of
> openssh (4.4p2, 4.5p1, 4.6p1). (I hoped to rule out both the libc, the
> compiler, and openssh)
I have blowfish in glibc, and I can ssh localhost and log in. So, this looks
like an xcrypt problem, not an openssh problem. Debian and Suse both have a
libxcrypt package, but I can't tell for sure whether their openssh supports
it... Debian's patch is focused on selinux, there's no "xcrypt" in their
openssh patch. Suse's openssh-4.2p1-18.12 has "libxcrypt" in
the "usedforbuild" line, but no patch seems to be needed. It looks like Suse
uses libxcrypt-2.2 vanilla, without any patches against it. Without doing
s/lcrypt/lxcrypt/ I don't think Suse is linking openssh to libxcrypt.
I don't recall ever personally using libxcrypt with openssh, but I do remember
someone emailing me about a function name conflict (openssh also has it's own
xcrypt() function), and they got it to work with some minor modifications.
As far as I know openssh/openssl doesn't have it's own bcrypt for decrypting
blowfish passwords, so it would need to be linked to libxcrypt.
I'll keep thinking about it, but right now I'm at a loss for ideas.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
More information about the hlfs-dev