Re: [Cvs-dev] cvs-passwd patch: weird problem

[Larry Jones]

Prasad J Pandit writes:
> 
>    Oh Larry, you are a god man, seriously you are a god. How did you find 
> it?

By looking at the code and paying attention, something any good
programmer should be able to do -- no divinity required.

> > And you're using crypt() in a non-portable fashion (standard crypt does 
> > not support MD5).
> 
>    Any other *better* option ?

I don't know, this is probably the trickiest part of what you're trying
to do.  The problem is that different systems encrypt passwords
differently.  Checking a password can be done portably, but creating one
in the appropriate format for the system cannot -- you have to know what
encoding method to use and how to provide the appropriate salt for each
encoding method, both of which are system dependent.  If you're trying
to do the encoding at the client (I haven't looked at your code enough
to know whether you are or not), you have the additional complication of
having to find out from the server what encoding method to use; plus,
there's no guarantee that the client's version of crypt() even supports
the server's desired encoding method.  The simplest solution I can think
of is to always generate passwords in the original (DES) crypt() format
where salt is just two characters, but I'm not sure how acceptable that
would be and whether DES is universal now or if its availability is
still limited.

-Larry Jones

In a minute, you and I are going to settle this out of doors. -- Calvin