Menu
▾
▴
#69 pam_userdb - Support for md5 passwords with crypt option
crypt(3) describes a Gnu extension in the glibc2 version of the crypt function that allows for encoding strings using the MD5 algorithm instead of DES. Many password digests found in shadow files have been encrypted using this extension, probably because of the common MD5 option for pam_unix.
Support for encoded passwords was introduced to pam_userdb years ago, but it only supports DES-encoded passwords. This simple patch adds support for MD5-encoded passwords.
Logged In: YES
user_id=2070560
Originator: YES
File Added: pam_userdb.unifieddiff
Adds MD5 support for the pam_userdb crypt option
This patch, while it may work, continues to misuse the crypt() function. The code should *NOT* examine the crypted password and extract the salt from it at all, but rather simply pass the entire crypted password (from the userdb) to crypt() as the salt. To quote the GNUlibc info page for crypt():
When the user enters their password for the first time, the SALT
should be set to a new string which is reasonably random. To
verify a password against the result of a previous call to
`crypt', pass the result of the previous call as the SALT.
That way, the code will work with other compatible hashing/salting methods; the "$1" prefix of MD5 isn't the only one out there!