[rsbac] UM can't set passwords - strange symptoms
Amon Ott
ao at rsbac.org
Wed Jul 18 10:11:54 CEST 2007
On Tuesday 17 July 2007 14:54, Sven Seeland wrote:
> Thanks, everything works now. I guess I got spooked. On my last
> isntall I was having all sorts of weird problems concerning RSBAC
> UM, like not being able to set passwords, not being able to log in,
> being able to log in regardless of the password entered, etc. And I
> couldn't solve this by reverting back to standard unix shadow suite
> user management. Which caused me to reinstall from scratch. It's
> not a production machine and I'm still pretty new to this...
If you are using a 2.6 kernel with UM, you are strongly encouraged to
update to 1.3.5, which has been uploaded to download.rsbac.org
yesterday. We have fixed a nasty bug, which could cause any password
to be accepted on 2.6 kernels - like you noticed.
There is a reason why I recommend 2.4 on any server system: 2.6
internal APIs change with almost every release, so you can expect any
kind of bug. Needless to say that new APIs are hardly ever
documented. 2.6 is nothing I would call stable software, rather a
run-away hunt for features. One look at the rate of security fixes
for every 2.6 release tells the story.
This example has hit us here: crypto API interface has changed, but
third parameter of analogues function with similar name still has the
same type, but very different meaning. So we ended up hashing a
single byte of the salt instead of the whole salt + password string.
Sure any password matched, because the same salt was used for
compare.
We will make an official announcement after some more quality checks
on the release files.
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
More information about the rsbac
mailing list