samba-bugs@samba.org
2005-Apr-09 17:41 UTC
[Bug 2583] rsync fails with "authentication failure"
https://bugzilla.samba.org/show_bug.cgi?id=2583
wayned@samba.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
------- Additional Comments From wayned@samba.org 2005-04-09 10:38 -------
My first thought was that perhaps the combined length of the password and the
challenge string might be 64 characters, which is an MD4 length that used to
have a problem in older rsync versions. However, since the password exchange
happens after we've negotiated a protocol_version, this should always be
handled
in a compatible manner.
Here's what I would recommend: edit the code in authenticate.c to add some
fprintf(stderr, ...) calls to the auth_server() function that will mention what
data is being received and compared. If you output the "line" read
from the
client after the read_line() call (it needs a newline):
fprintf(stderr, "%s\n", line);
That will contain the username, a space, and the MD4 hash of the challenge
string combined with the password from the client.
Then, output the pass2 variable after the generate_hash() call:
fprintf(stderr, "%s\n", pass2);
That value should match the MD4 hash from the "line" output.
You'll need to
stop the daemon and run the freshly-compiled debug version using --no-detach to
see the messages on stderr:
./rsync --daemon --no-detach
That should help you to figure out where the failure is occurring in the
authorization code. You can feel free to email me with what you discover (or
summarize to this bug-report -- whatever you prefer).
--
Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
samba-bugs@samba.org
2005-Apr-09 18:01 UTC
[Bug 2583] rsync fails with "authentication failure"
https://bugzilla.samba.org/show_bug.cgi?id=2583
hpa@zytor.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution| |INVALID
------- Additional Comments From hpa@zytor.com 2005-04-09 10:50 -------
I'm embarrassed to say this turns out to be due to user error. In
particular, I
had a typo in the *username* -- not in the password -- in one of several places
in the script. Perhaps it might be a sensible idea to add the (failed) username
into the error/log message for authentication failures.
--
Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
samba-bugs@samba.org
2005-Apr-09 18:21 UTC
[Bug 2583] rsync fails with "authentication failure"
https://bugzilla.samba.org/show_bug.cgi?id=2583
wayned@samba.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
------- Additional Comments From wayned@samba.org 2005-04-09 11:19 -------
Serendipitously, you'll be glad to know that I just finished checking in
some
changes to the authorization code that makes it log the reason for why the
authorization failed (e.g. unauthorized user, missing secret for user, password
mismatch).
--
Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
Quoting the comment from the bugtracker;> ------- Additional Comments From wayned@samba.org 2005-04-09 11:19 ------- > Serendipitously, you'll be glad to know that I just finished checking in some > changes to the authorization code that makes it log the reason for why the > authorization failed (e.g. unauthorized user, missing secret for user, password > mismatch).Is that really a good idea? At least, please make that optional, as I'm not too keen on revealing to a potential attacker if certain usernames are valid or not. (Or will this be logged on the server side only? If so, I'm all for it. :) Vidar