perl-modperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rick Bradley <r...@rickbradley.com>
Subject Re: [mp2.0] wrong crypt behavior
Date Thu, 03 Oct 2002 19:08:04 GMT
On Fri, 6 Sep 2002 08:23:33 +0200 Toma'? Procha'zka <kacer@pef.mendelu.cz> wrote:
> For comparsion of password user entered and password stored in database is
> crypt function used.
> 
> Here is the code:
> my $real_pass = $d->[0][0]; # crypted password from database
> my $salt = substr $real_pass,0,2; # salt
> my $test_pass = crypt $sent_pw,$salt; # in $sent_pw is the password user entered
> if ($real_pass eq $test_pass) {
>  $r->subprocess_env(REMOTE_USER => $user);
>  return OK;
> } else {
>  $r->note_basic_auth_failure;
>  return AUTH_REQUIRED;
> }
> 
> Problem:  Sometimes, although user entered correct password, is authentication
> rejected. I tried logging values of $real_pass and $test_pass and they
> differed. When I add line
> 
> $r->log_reason("User $user tested (".$real_pass."/".$test_pass.")...","");
> 
> just before 'if' statement behavior is most of time correct.

I have also seen this problem.   I am using RT [0] and have intermittent
login problems where suddenly crypt() called from mod_perl will start
generating the wrong return values [ i.e., $pass ne crypt($user, $pass) ].
After some period of time the crypt() call will start generating the
correct values again.

Executing the exact same crypt() calls via a command-line 
perl -e 'print crypt([string], [string])' generates the expected
(correct) results.

If (in the code run by mod_perl) I replace:

if ($pass eq crypt($user, $pass)) {

with:

$crypt = `perl -e 'print crypt(\"$user\", \"$pass\")'`;
chomp($crypt);
if ($pass eq $crypt) {

Then everything works perfectly, though less quickly and blatantly
insecurely.  I have checked the failing $user, $pass and crypt() values
thoroughly for wierdness and compared them to their successful
counterparts.  I am 100% convinced that crypt() is returning the wrong
values.  Note that the wrong values are consistent (i.e., they are not
random, not changing, just not correct).

My original RT problem report (including voluminous configuration
information, but prior to the isolation of the crypt() issue) can be
found at:

http://lists.fsck.com/pipermail/rt-users/2002-September/010117.html


Question:  is crypt() thread-safe?  I haven't had a chance to look at
the source but I plan on doing so soon.

A tiny bit more info:

$ strace perl -e 'print crypt("foo", "bar")' 2>&1 | grep crypt
execve("/usr/bin/perl", ["perl", "-e", "print crypt(\"foo\", \"bar\")"], [/* 22 vars */])
= 0
open("/lib/libcrypt.so.1", O_RDONLY)    = 3

$ ls -al /lib/libcrypt.so.1 /lib/libcrypt-2.2.5.so 
lrwxrwxrwx    1 root     root           17 Sep 23 18:13 /lib/libcrypt.so.1 -> libcrypt-2.2.5.so
-rw-r--r--    1 root     root        19136 Sep 17 21:50 /lib/libcrypt-2.2.5.so


[0] http://www.bestpractical.com/rt/index.html

Rick
-- 
 http://www.rickbradley.com    MUPRN: 812    (???F/???F)
                       |  me a line. It's the
   random email haiku  |  only commercial unix
                       |  I've ever liked. Wow.

Mime
View raw message