AARGH. First post and I hit the wrong keys and send the email before I'm ready. Grumble. Stupid fingers.
FreeRadius-0.4 breaks compatibility with Solaris running YP in compatibility
mode, by changing the when shadow password lookups are performed using the
system call getspnam().
I have attached two patches:
The first attached patch adds a bunch of debugging to rlm_unix's shadow
password section (about line 510), and changes the code's style to allow for
such debugging, and adds a kludge to workaround Solaris NIS/YP running with
shadow passwords. It is rlm_unix.c.patch.
The 2nd patch is a proper fix to the problem using strspn() to determine if
the returned password contains any characters not in the set
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789./$". $ is
included because it is required by MD5 and SHA password hashing systems.
When Solaris 2.5+ is running in YP compatibility mode with shadow passwords
enabled on the YP server, the clients expect to see ##userid in the password
field. The most important bit is the client must see ## as the first two
characters to trigger the shadow lookup.
I have not looked at the coding style guide, nor have I verified in any
other way that these patches are:
- safe to use
- cleanly apply to the source tree
- have no negative impact on execution on non-solaris machines or
machines with MD5 or SHA passwords
- don't break other things
>From my first email, which is no longer relevant, but because my fingers
'slipped' on alt-enter... as while writing my original email I went off and
fixed the problem in a better manner:
I might suggest that the decision logic as to whether to look at the shadow
file should be different than it is -- any invalid character in the first
two characters cause the shadow (getspnam) function to be called.
>From crypt(3C) on Solaris:
The key argument points to a string to be encoded (for exam-
ple, the user's password.) Only the first eight characters
are used; the rest are ignored. The salt is a two-character
string chosen from the set [a-zA-Z0-9./]. This string is
used to perturb the hashing algorithm in one of 4096 dif-
ferent ways.
I suggest therefore that the presence of anything other than these
characters cause an error. The only notable exception is $, used by MD5 and
SHA
Regards,
Roy
---
Roy Hooper
Project Manager & Senior UNIX Consultant
Decisive Technologies, Inc.
[EMAIL PROTECTED]
rlm_unix.c.patch
Description: Binary data
rlm_unix.c.patch2
Description: Binary data
