[Bug 426513] Re: openssl enc documentation incorrect

2009-12-09 Thread reidmefirst 
It is set to be "-salt" by default.  The documentation (enc manpage)
says that it is set to be "-nosalt" by default.  I am saying that either
the documentation or the default option should be changed.

-- 
openssl enc documentation incorrect
https://bugs.launchpad.net/bugs/426513
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 426513] [NEW] openssl enc documentation incorrect

2009-09-08 Thread reidmefirst 
Public bug reported:

Binary package hint: openssl

1) This affects openssl in Ubuntu 9.04.

2) This affects openssl 0.9.8g-15ubuntu3.

3) The OpenSSL enc(1) man page has this to say about key derivation:

-salt
use a salt in the key derivation routines.  This option should ALWAYS be used 
unless compatibility with previous versions of OpenSSL or SSLeay is required.  
This option is only present on OpenSSL versions 0.9.5 or above.

-nosalt
don't use a salt in the key derivation routines.  This is the default for 
compatibility with previous versions of OpenSSL and SSLeay.

I expect that when I enter:

$ openssl enc -aes-128-cbc -k foo -P

That openssl will return an unsalted key and initialization vector.

4) What I get instead is:
salt=<8 byte salt>
key=<16 byte key>
iv =<16 byte iv>

The salt, key, and iv are different each time because openssl is using a
salt.  If I execute 'openssl enc -aes-128-cbc -nosalt -k foo -P' I get
the same key and initialization vector each time, with no salt value in
the output (which is what I expect even without using the '-nosalt'
option).

** Affects: openssl (Ubuntu)
 Importance: Undecided
 Status: New


** Tags: documentation manpage openssl

-- 
openssl enc documentation incorrect
https://bugs.launchpad.net/bugs/426513
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 242690] Re: might allow to bypass authentication

2009-07-14 Thread reidmefirst 
Naive question about a bug that was closed a year ago...

Can a user do a similar thing with pam_pgsql when changing her password?
For example the operator precedence in pam_sm_chauthtok() line 696 is:

if ((rc = pam_get_pass(pamh, PAM_OLDAUTHTOK, &pass, PASSWORD_PROMPT,
options->std_flags)) == PAM_SUCCESS) {

which is identical to the buggy operator precedence being performed in
the old version of pam_sm_authenticate().  Is it possible for a
malicious user to change a victim's password in this way if pam_pgsql is
used and the victim walked away without locking their screen?

Reid

-- 
 might allow to bypass authentication
https://bugs.launchpad.net/bugs/242690
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs