Re: [BUGS] BUG #1134: ALTER USER ... RENAME breaks md5

Dear Bruce,

> Yes, the problem is that we used the username for the salt, just like
> FreeBSD does for its MD5 passwords.

Not that I know of on FreeBSD?

shell> uname -a
FreeBSD palo-alto2.ensmp.fr 4.9-STABLE FreeBSD 4.9-STABLE #5: Mon Mar  1 21:31:30 CET 2004
root@palo-alto2.ensmp.fr:/usr/src/sys/compile/IAR2Mi386 

shell> grep coelho /var/yp/master.passwd
coelho:$1$00EacB0I$4kQ/HmqFFQANZP/mxj8ZX0:210:20::0:0:COELHO, Fabien:/users/cri/coelho:/usr/local/bin/bash
          ^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^
          salt     some base 64 encoding of 1002 paranoid md5 computations.

Even of the salt is based on the login, the point is that it is stored
separatly, so the system does not rely on the login string to check the
password.

The only other scheme which requires the user password somehow is the HTTP
digest authentification, and AFAIK no one in the world uses it;-)

> The attached patch clears the password field on rename:

By 'clearing' and after a look at the patch, I understand that the access
will be denied after the rename, which is the current behavior anyway;-)

> and adds documention explaining this behavior. I can't think of a
> better solution.

Yes, I'm afraid there is no 'light' fix, other than acknowledging the
fact... Not a big issue.

Thanks,

--
Fabien Coelho - coelho@cri.ensmp.fr