Bug#649463: libpam-rsa: code to hash hostname and username is broken

[gregor herrmann]

tag 649463 + patch
thanks

On Sun, 20 Nov 2011 23:08:08 -0800, Ian Zimmerman wrote:

> # pamrsakp itz matica /var/lib/pam-rsa/ /mnt/auto/sandisk/ sha1 yes
> and the output contained this:
> writing new private key to '/mnt/auto/sandisk/(stdin)=/(stdin)=.pem.plain'
 
> Looking at the script, it tries to compute the hash like this:
> HOSTHASH=`echo -n ${TARGETHOST} | ${O} dgst -sha1 | cut -b -8`
> just what is ${0} supposed to expand to here??

O=${OPENSSL-openssl}

Which probably should be
O=${OPENSSL:-openssl}
(same for CF in the next line)

But still, where does the "(stdin)=" come from?

Ah:

Sid:
% echo -n user | openssl dgst -sha1
(stdin)= 12dea96fec20593566ab75692c9949596833adc9

Squeeze:
$ echo -n user | openssl dgst -sha1
12dea96fec20593566ab75692c9949596833adc9

So we can either play with the output; or maybe use perl's shasum:

Sid:
% echo -n user | shasum -a 1 -t
12dea96fec20593566ab75692c9949596833adc9  -

Squeeze:
$ echo -n user | shasum -a 1 -t
12dea96fec20593566ab75692c9949596833adc9  -


Ok, here's a patch, I'm waiting a bit with an NMU to give others the
chance to comment and test.


Cheers,
gregor

-- 
 .''`.  Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06
 : :' : Debian GNU/Linux user, admin, and developer  -  http://www.debian.org/
 `. `'  Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
   `-   NP: Police: Message In A Bottle

diff -u libpam-rsa-0.8-9/debian/changelog libpam-rsa-0.8-9/debian/changelog
--- libpam-rsa-0.8-9/debian/changelog
+++ libpam-rsa-0.8-9/debian/changelog
@@ -1,3 +1,12 @@
+libpam-rsa (0.8-9-2.3) UNRELEASED; urgency=low
+
+  * Non-maintainer upload.
+  * Fix "code to hash hostname and username is broken": openssl output has
+    changed, use shasum in the pamrsakp script.
+    (Closes: #649463)
+
+ -- gregor herrmann <gre...@debian.org>  Sun, 04 Mar 2012 17:57:39 +0100
+
 libpam-rsa (0.8-9-2.2) unstable; urgency=low
 
   * Non-maintainer upload.
only in patch2:
unchanged:
--- libpam-rsa-0.8-9.orig/script/pamrsakp
+++ libpam-rsa-0.8-9/script/pamrsakp
@@ -23,8 +23,8 @@
 # (c) 2006 Vesa-Matti Kari <hyperll...@laamanaama.helsinki.fi>
 #
 
-O=${OPENSSL-openssl}
-CF=${PAMRSAKPCNF-/etc/security/pamrsakp.cnf}
+O=${OPENSSL:-openssl}
+CF=${PAMRSAKPCNF:-/etc/security/pamrsakp.cnf}
 
 
 if [ $# -ne 6 ]; then
@@ -46,7 +46,7 @@
 
 
 if [ x${HASHTYPE} = "xsha1" ]; then
-	PRIVKEY=`echo -n ${USER} | ${O} dgst -sha1 | cut -b -8`.pem
+	PRIVKEY=`echo -n ${USER} | shasum -a 1 -t | cut -b -8`.pem
 elif [ x${HASHTYPE} = "xnone" ]; then
 	PRIVKEY=${USER}.pem
 else 
@@ -60,7 +60,7 @@
 fi
 
 
-HOSTHASH=`echo -n ${TARGETHOST} | ${O} dgst -sha1 | cut -b -8`
+HOSTHASH=`echo -n ${TARGETHOST} | shasum -a 1 -t | cut -b -8`
 
 
 # Create the public and private key directories if they do not exist

signature.asc
Description: Digital signature