Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.cs.su.oz.au!metro!metro!munnari.OZ.AU!spool.mu.edu!uwm.edu!news.he.net!news.onramp.net!news.nkn.net!news.panther.net!nemesis!hammy!news-in.iadfw.net!news.gymnet.com!LSNT1!lsbsdi6.lightspeed.net!news3.crl.com!nntp2.crl.com!data.ramona.vix.com!sonysjc!su-news-hub1.bbnplanet.com!cpk-news-hub1.bbnplanet.com!news.bbnplanet.com!news-peer.sprintlink.net!news-pull.sprintlink.net!news-in-east.sprintlink.net!news.sprintlink.net!Sprint! 207.67.253.7!atmnet.net!news.lightside.com!fred From: fred@lightside.net (Fred Condo) Newsgroups: comp.unix.bsd.freebsd.misc Subject: sudo vs. md5 passwords Date: Sun, 01 Jun 1997 09:49:47 -0700 Organization: Lightside, Inc. Lines: 28 Message-ID: <C9D6FE77342FC5A7.F3E70552306B5CA6.885E254ACEADB0E6@library-proxy.airnews.net> X-Orig-Message-ID: <fred-ya02408000R0106970949470001@news.lightside.com> NNTP-Proxy-Relay: library.airnews.net NNTP-Posting-Host: biceps.gymnet.com Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Newsreader: Yet Another NewsWatcher 2.4.0 Xref: euryale.cc.adfa.oz.au comp.unix.bsd.freebsd.misc:42239 I just figured out a bug, or interaction, between sudo and a FreeBSD system using strictly md5 passwords (no DES). This is under FreeBSD 2.1.7. We recently laid off an employee who had access to sudo, so we had to change the password on several role accounts that employee used sudo from. The old password was 8 characters long. The new password is 10 characters long. After changing the password, sudo rejected the new password as being wrong. Yet on another FreeBSD 2.1.7 system, it still worked. That system, however, uses DES passwords because its password file was transferred from a legacy system that used traditional password encryption. After poking around aimlessly for a while, I realized that sudo must assume that passwords are no more than 8 characters, which is the limit with traditional DES-based passwords. The md5 passwords, I believe, can be up to 16 characters. So when sudo encrypted the first 8 characters only of the password, its hash did not match the hash in the password database. I reset the password for the account, truncating it at 8 characters, and now sudo is happy. Hopefully this message will help someone who has run into this problem. -- http://www.lightside.net/~fred/ + net access + http://www.lightside.net/ "Attempts to control the use of encryption technology are wrong in principle, unworkable in practice, and damaging to the long term economic value of the information networks." - UK Labour Party