*BSD News Article 96929


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.cs.su.oz.au!metro!metro!munnari.OZ.AU!spool.mu.edu!uwm.edu!news.he.net!news.onramp.net!news.nkn.net!news.panther.net!nemesis!hammy!news-in.iadfw.net!news.gymnet.com!LSNT1!lsbsdi6.lightspeed.net!news3.crl.com!nntp2.crl.com!data.ramona.vix.com!sonysjc!su-news-hub1.bbnplanet.com!cpk-news-hub1.bbnplanet.com!news.bbnplanet.com!news-peer.sprintlink.net!news-pull.sprintlink.net!news-in-east.sprintlink.net!news.sprintlink.net!Sprint!
207.67.253.7!atmnet.net!news.lightside.com!fred
From: fred@lightside.net (Fred Condo)
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: sudo vs. md5 passwords
Date: Sun, 01 Jun 1997 09:49:47 -0700
Organization: Lightside, Inc.
Lines: 28
Message-ID: <C9D6FE77342FC5A7.F3E70552306B5CA6.885E254ACEADB0E6@library-proxy.airnews.net>
X-Orig-Message-ID: <fred-ya02408000R0106970949470001@news.lightside.com>
NNTP-Proxy-Relay: library.airnews.net
NNTP-Posting-Host: biceps.gymnet.com
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Newsreader: Yet Another NewsWatcher 2.4.0
Xref: euryale.cc.adfa.oz.au comp.unix.bsd.freebsd.misc:42239

I just figured out a bug, or interaction, between sudo and a FreeBSD system
using strictly md5 passwords (no DES). This is under FreeBSD 2.1.7.

We recently laid off an employee who had access to sudo, so we had to
change the password on several role accounts that employee used sudo from.
The old password was 8 characters long. The new password is 10 characters
long.

After changing the password, sudo rejected the new password as being wrong.
Yet on another FreeBSD 2.1.7 system, it still worked. That system, however,
uses DES passwords because its password file was transferred from a legacy
system that used traditional password encryption. After poking around
aimlessly for a while, I realized that sudo must assume that passwords are
no more than 8 characters, which is the limit with traditional DES-based
passwords. The md5 passwords, I believe, can be up to 16 characters. So
when sudo encrypted the first 8 characters only of the password, its hash
did not match the hash in the password database.

I reset the password for the account, truncating it at 8 characters, and
now sudo is happy.

Hopefully this message will help someone who has run into this problem.
-- 
http://www.lightside.net/~fred/ + net access + http://www.lightside.net/
"Attempts to control the use of encryption technology are wrong in
principle, unworkable in practice, and damaging to the long term economic
value of the information networks." - UK Labour Party