[sudo-users] SHA512 Passwords on Solaris Seems to Break Sudo Authentication in 1.8.11 to 1.8.12
David.Cress at globalpay.com
David.Cress at globalpay.com
Thu Mar 5 12:37:59 MST 2015
Great, thank you. I've rolled back to 1.8.10p3 and will just stay there till 1.8.13 comes out.
---
David Cress
Senior UNIX Engineer
Desk: 9-8435 (770 829-8435)
Cell: 678 768-4665
What exists, exists; what is, is; and from this irreducible bedrock principle, all knowledge is built.
-----Original Message-----
From: Todd C. Miller [mailto:Todd.Miller at courtesan.com]
Sent: Thursday, March 05, 2015 2:22 PM
To: Cress, David # ATLANTA
Cc: sudo-users at sudo.ws
Subject: Re: [sudo-users] SHA512 Passwords on Solaris Seems to Break Sudo Authentication in 1.8.11 to 1.8.12
I've finally gotten to the bottom of this. The problem is that sudo uses its own sha2 functions on Solaris 10 because the ststem version doesn't include SHA224 support (it was added in Solaris 11). As a result, when PAM tries to verify the user's password it ends up using sudo's sha2 functions but with the Solaris sha2 data structures.
The fix is to avoid namespace pollution and prefix sudo's sha2 functions with sudo_ so there is no conflict.
I've put a patch relative to sudo 1.8.11p1 at:
https://urldefense.proofpoint.com/v2/url?u=ftp-3A__ftp.sudo.ws_pub_millert_sudo_sha2.patch&d=AwIBAg&c=zQ6tLaF7dShu6emFdFLQLQ&r=_6Vd8m5qagynNJuO6-wKjfpR1s-VEudKmMMYa1RFxtQ&m=fhaxfhibM4kfkeWSs_8kEg7WyhmzILhU-lroNL4_m24&s=pSBcwTi9xcxP-jRddvOj-scxSaMqvrQrsYg7UXNwl9c&e=
The patch also applies to sudo 1.8.12. The next sudo 1.8.13 beta will include this patch.
- todd
More information about the sudo-users
mailing list