Possible security issue with blowfish shadow passwords

Jan Dvořák mordae at thirdcms.org
Thu Mar 1 04:58:01 PST 2007

Kevin Day wrote:
>> - Linux-PAM (set passwords to blowfish as pam seems to handle them)
>> password = abcd
>> 4) abcd = pass
>> 5) abcde = pass
Maybe this piece of code from modules/pam_unix/support.c:709?

  * Note, we are comparing the bigcrypt of the password with
  * the contents of the password field. If the latter was
  * encrypted with regular crypt (and not bigcrypt) it will
  * have been truncated for storage relative to the output
  * of bigcrypt here. As such we need to compare only the
  * stored string with the subset of bigcrypt's result.
  * Bug 521314: The strncmp comparison is for legacy support.
if (strncmp(pp, salt, salt_len) == 0) {
     retval = PAM_SUCCESS;
} else {
     retval = PAM_AUTH_ERR;

Investigate what exactly strncmp() gets and see if it's the problem.

fprintf(stderr, "BUGTRACK: strncmp(\"%s\", \"%s\", %i)\n",
		pp, salt, salt_len);
if (strncmp(pp, salt, salt_len) == 0) {

Good luck...

More information about the hlfs-dev mailing list