UBB.Developers Forums UBB.threads 6 Bug Reports incompatible crypt versions:password problem

I had this problem for a long time, I really need to solve it. I hope you can find the solution for me!!

This has been on perl and php versions, through several upgrades, but right now I am a little behind
Powered BY WWWThreads 5.4.1php


Problem

I used to run a message board on 2 different servers. When a user registered a password on freebsd server, they would not allow authentication on the linux server.

I gave up and ended up running all on one server.

Now I have another reason why I would want to either run the board on 2 servers, or convert the entire board onto the other server.

I fear password problems again. Can someone help me, I could not figure this out!



=======================
From: QuickServe Support

Subject: Re: crypt function on linux different from freebsd?? [C4J9M7X]
The only thing I can think of off-hand is that you'd want to make
sure all systems (and functions) are encrypting in the same format.
It is possible that some systems might default to MD5 and others
might default to DES depending on their setup. You can recognize
MD5 passwords because the encrypted string always begins with "$1$".

Erik
----


> I am sending this to several people in the hope to get a solution.
>
> I run wwwthreads.com board, a bulletin board in perl and/or php,
> with mysql database background .
>
> It runs on both a freebsd and 2 linux servers, using the same
> database. There are some strange problems occurring. I narrowed
> it down, that seemingly passwords changed occurring on the freebsd
> servers will not be accepted on the linux server, and vice versa.
> It seems, though, that this does not occur all the time.
>
> Question:
>
> a) could it be that the perl/php/unix crypt function works differently on
> these servers, i.e. yields different results for encrypting and for
> comparison??
>
> b) if so, can it be circumvented? Can the crypt function of one
> operating system be imported into the other at least as a callable
> subroutine? How?
>
> c) Or is the only way to remain consistent to run the board only
> on one operating system? Or at least run the routines that change
> passwords only on one operating system, i.e. block user registration
> and profile changes on the other operating system. Any other
> solution in sight?

===================

You can choose the encryption type by the size of the salt you
apply to the 'crypt()' call. FreeBSD supports both DES and MD5.
Since it looks like you're passing a two-character salt, passwords
are being encrypted on qs13 in Standard DES. If you wish to use
Extended DES or MD5, you need to pass a longer salt. Please see
http://www.php.net/manual/en/function.crypt.php for further
information.

Erik
----


> www.a3.com/chat/pinwand is a message board, based on a mysql database
>
> This database is accessed by other (linux) servers, for copies of
> the board, running on the server and for other authentication
> purposes (chat authentication)
>
> Passwords registered on my qs13 server get stored in crypted form
> in mysql database. When compared with crypted form of user password
> on a linux machine, there is a mismatch.
>
> basically: linux-crypt NOTEQUAL pair-quickserve-crypt

I have asked this on and off for months, I have a board that MUST be moved to another server for legal reasons, this is a very serious question!!!!!!!!

From what I've read at the manual page for crypt on php.net you will have to specify a salt of a specific length depending on which encryption that should be used. I'm not sure which it should be, but changing the following line in ubbt.inc.php to one of the ones below it might help.

Original code

code:

       if ((crypt($Password,$pass) != $pass) && (md5($Password) != $pass)) {

---

If Standard DES was used before:

code:

       if ((crypt($Password,substr($pass,0,2)) != $pass) && (md5($Password) != $pass)) {

---

If Extended DES was used:

code:

       if ((crypt($Password,substr($pass,0,9)) != $pass) && (md5($Password) != $pass)) {

---

I don't believe that MD5 or Blowfish encryption was used before, but if it was, all password should start with either "$1$" or "$2$".

Hope this can help you on the way, but I haven't got any experience in this either, but I'll try to help in any way I can.

If I spend 15 hours on this, maybe I find a solution. But if Scream or another programmers look at this, they can probably fix this in half hour.

Though this is not a problem for most people, it still seems to be a bug.It could even be a php implementation bug, that the crypt function is not consistent over operating systems.

Our provider's support thinks there is a problem that it could be either DES or MD5.

there seems to be a problem at password CREATION and password CHANGE time! Even when something else was changed in the profile page that also contains the password, then the password also gets saved again!

how long is the initial salt? I think it is only a lengh of 2 characters!? and then later at password VERIFICATION time the salt is longer? is there not something wrong?

It seems that different systems default to different crypt algorithms (MD5,DES) but somehow they can be forced to a certain algorithm. No clue why they would not use the same algorithm, though. I also observed the problem only when creating the password on FreeBSD and then verifying the password on Linux. I am not aware that the problem also arises the other way around, but I might be wrong. Also, it could have something to do with perl vs php versions, but I also believe it occurred in both perl and php.

"You can recognize
MD5 passwords because the encrypted string always begins with "$1$". "
The password verification program could, for example, check for "$1$" at the beginning.

will different encodings be used,depending how long a password the user chose?

But if this is so, then the problem would occur always, not just across different operating systems!

To add to the confusion, an MD5 digest, as used by UBB.threads 6.0 with the md5() function, is not the same as using crypt() with MD5 encryption. (I think )

Sorry I can't otherwise help with the problem.

Not having a *BSD system installed anywhere it is hard for me to check this out, but from what I could read about it it seems it would be quite easy.

I will be installing FreeBSD on a computer sometime in the near future, but until then I believe that I can't be of any more help.

do you know how to control the crypt version with perl? Maybe perl uses always the server's default script?

any way to set this in perl (reason I ask because I interface various programs in perl that use the user database)