[rsbac] UM can't set passwords - strange symptoms

Sven Seeland sven.seeland at gmx.de
Wed Jul 18 21:19:29 CEST 2007


By the way: the bug is happening again. Now that I know that 1.3.5 will fix it 
I'll just leave it as it is and hope that 1.3.5 hits Gentoo Portage real fast. 
Oh well...

Sven Seeland schrieb:
> Hmm, I'm kindof in a bind here. First of all I must say that I'm no kernel expert I am in no way an experienced Linux Admin. I'm doing this as a hobby but I still want my server to be reasonably safe.
> However, I'm relying on several features that are (as far as I know) exclusive to 2.6. Namely udev, lvm2 and alsa (and possibly more).
> 
> I'm also using Gentoo and it looks like it defaults to 2.6 now. You *can* make it run on 2.4, but it requires a good bit of work and system knowledge and I currently don't really feel up to the task.
> Also, the server doubles as a media center. Not a good combination to put a hardened webserver and a media center on the same machine, I know, but I only have one computer at my disposal so it's gotta do both jobs. And I'm afraid that running either part of the server in a virtualized environment (e.g. on virtualbox) will hurt performance badly.
> 
> Any advice?
> 
> Interestingly, the password bug hasn't occurred on the new setup yet.
> 
> Anyways, I'll stay tuned for the update and hope it trickles down the Gentoo pipeline soon.
> 
> Greetings,
> Sven
> 
> 
> -------- Original-Nachricht --------
> Datum: Wed, 18 Jul 2007 10:11:54 +0200
> Von: Amon Ott <ao at rsbac.org>
> An: RSBAC Discussion and Announcements <rsbac at rsbac.org>
> Betreff: Re: [rsbac] UM can\'t set passwords - strange symptoms
> 
>> On Tuesday 17 July 2007 14:54, Sven Seeland wrote:
>>> Thanks, everything works now. I guess I got spooked. On my last
>>> isntall I was having all sorts of weird problems concerning RSBAC
>>> UM, like not being able to set passwords, not being able to log in,
>>> being able to log in regardless of the password entered, etc. And I
>>> couldn't solve this by reverting back to standard unix shadow suite
>>> user management. Which caused me to reinstall from scratch. It's
>>> not a production machine and I'm still pretty new to this...
>> If you are using a 2.6 kernel with UM, you are strongly encouraged to 
>> update to 1.3.5, which has been uploaded to download.rsbac.org 
>> yesterday. We have fixed a nasty bug, which could cause any password 
>> to be accepted on 2.6 kernels - like you noticed.
>>
>> There is a reason why I recommend 2.4 on any server system: 2.6 
>> internal APIs change with almost every release, so you can expect any 
>> kind of bug. Needless to say that new APIs are hardly ever 
>> documented. 2.6 is nothing I would call stable software, rather a 
>> run-away hunt for features. One look at the rate of security fixes 
>> for every 2.6 release tells the story.
>>
>> This example has hit us here: crypto API interface has changed, but 
>> third parameter of analogues function with similar name still has the 
>> same type, but very different meaning. So we ended up hashing a 
>> single byte of the salt instead of the whole salt + password string. 
>> Sure any password matched, because the same salt was used for 
>> compare.
>>
>> We will make an official announcement after some more quality checks 
>> on the release files.
>>
>> Amon.
>> -- 
>> http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
>> _______________________________________________
>> rsbac mailing list
>> rsbac at rsbac.org
>> http://www.rsbac.org/mailman/listinfo/rsbac
> 


More information about the rsbac mailing list