[syslinux] MENU / SHA1 passwords not working.
Jeffrey Hutzelman
jhutz at cmu.edu
Mon Jan 14 15:17:25 PST 2008
--On Wednesday, January 09, 2008 03:20:02 PM +0000 Simon Daniels
<S.Daniels at uel.ac.uk> wrote:
> However if I hash a password using the sha1pass script the resulting
> hashes don't work.
As of syslinux-3.53 (the latest I have lying around), the code in
com32/modules/menumain.c for checking sha1 passwords has a bug which causes
checking of salted passwords to fail. Specifically, it tries to fold the
salt into the hash before initing the hash context. I have attached a
patch (untested) which should fix this problem.
> I notice I get a different hash every time when using the same arg. Is
> this correct?
That's correct. The string between the second and third $ characters is a
"salt", which is a chunk of random data included in the hash to make it
more difficult to determine the password by keeping a dictionary of
passwords and the strings they hash to. To get the same string back, you
can give the hash as an additional argument to sha1pass:
./sha1pass 1234567890 9qj4qv8g
> I can't get the MD5pass script to run as it's missing a lib but running
> cpan install Digest::MD5 reports that my MD5 is up to date?
Is there a question here? We can't help you get md5pass working if you
don't tell us what error messages you got.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
Carnegie Mellon University - Pittsburgh, PA
-------------- next part --------------
--- com32/modules/menumain.c 2007-11-18 01:55:01.000000000 -0500
+++ com32/modules/menumain.c.FIXED 2008-01-14 18:15:23.000000000 -0500
@@ -295,6 +295,8 @@
SHA1_CTX ctx;
unsigned char sha1[20], pwdsha1[20];
+ SHA1Init(&ctx);
+
if ( (p = strchr(passwd+3, '$')) ) {
SHA1Update(&ctx, (void *)passwd+3, p-(passwd+3));
p++;
@@ -302,8 +304,6 @@
p = passwd+3; /* Assume no salt */
}
- SHA1Init(&ctx);
-
SHA1Update(&ctx, (void *)entry, strlen(entry));
SHA1Final(sha1, &ctx);
More information about the Syslinux
mailing list