mod_authnz_external 3.2 and checkpassword
18 views
Skip to first unread message
Test 1
Oct 8, 2009, 6:39:05 PM10/8/09
to mod_auth_external
Hi,
I'm trying to configure mod_authnz_external 3.2.4 to authenticate
against checkpassword program.
The program I use is written to comply with checkpassword interface
(http://cr.yp.to/checkpwd.html), so it reads authentication info from
FD 3. Authentication fails with "checkpassword: bad fd (3)" message.
Seems like there is a regression against 3.1 branch, where special
handling was done for the case of checkpassword, see line 383 as of
3.1.0:
dup2(pipe_to_auth[0], usecheck ? 3 : 0);
I found no such handling in 3.2.4 source code, auth data is fed to
child process' stdin. Fortunately, I possess source code for that
program, so I can tweak it to use stdin if FD 3 is not available.
Nevertheless, are there any plans to bring checkpassword back in 3.2
branch?
Thanks,
Abanamat
I'm trying to configure mod_authnz_external 3.2.4 to authenticate
against checkpassword program.
The program I use is written to comply with checkpassword interface
(http://cr.yp.to/checkpwd.html), so it reads authentication info from
FD 3. Authentication fails with "checkpassword: bad fd (3)" message.
Seems like there is a regression against 3.1 branch, where special
handling was done for the case of checkpassword, see line 383 as of
3.1.0:
dup2(pipe_to_auth[0], usecheck ? 3 : 0);
I found no such handling in 3.2.4 source code, auth data is fed to
child process' stdin. Fortunately, I possess source code for that
program, so I can tweak it to use stdin if FD 3 is not available.
Nevertheless, are there any plans to bring checkpassword back in 3.2
branch?
Thanks,
Abanamat
Jan Wolter
Oct 29, 2009, 11:56:06 AM10/29/09
to mod_auth_external
I've released a new version of mod_authnz_external which fixes a major
bug in the handling of "checkpassword" type authenticators, as
described below by Abanamat. This is not a security fix, and there is
no particular reason to upgrade if previous versions are working for
you.
As Abanamat points out, data is supposed to be sent to checkpassword
authenticators on stderr, not stdin. MAE version 3.1.x did this
correctly, but that part of the code got completely rewritten in 3.2.0
and I seem to have accidentally dropped that logic on the floor.
Version 3.2.5 restores it.
Thanks to Abanamat for this very precise and intelligent bug report.
- Jan
bug in the handling of "checkpassword" type authenticators, as
described below by Abanamat. This is not a security fix, and there is
no particular reason to upgrade if previous versions are working for
you.
As Abanamat points out, data is supposed to be sent to checkpassword
authenticators on stderr, not stdin. MAE version 3.1.x did this
correctly, but that part of the code got completely rewritten in 3.2.0
and I seem to have accidentally dropped that logic on the floor.
Version 3.2.5 restores it.
Thanks to Abanamat for this very precise and intelligent bug report.
- Jan
Reply all
Reply to author
Forward
0 new messages