Demo Discussion
Forum Config Examples Contributions Vulnerabilities
  Discussion forum about ELOG  Not logged in ELOG logo
 Back  |  Find  |  Login  |  Help 
icon5.gif   Problem with CRYPT+SSL and elog command line entries, posted by Aaron Couture on Wed Jan 6 22:17:49 2010 
    icon2.gif   Re: Problem with CRYPT+SSL and elog command line entries, posted by Aaron Couture on Thu Jan 7 21:22:09 2010 elogc.patch
       icon2.gif   Re: Problem with CRYPT+SSL and elog command line entries, posted by Aaron Couture on Fri Jan 8 18:26:56 2010 elogc.patch
          icon2.gif   Re: Problem with CRYPT+SSL and elog command line entries, posted by Stefan Ritt on Tue Jan 12 12:31:20 2010 
Message ID: 66663     Entry time: Fri Jan 8 18:26:56 2010     In reply to: 66661     Reply to this: 66671
Icon: Reply  Author: Aaron Couture  Author Email: acouture@lanl.gov 
Category: Bug report  OS: Linux  ELOG Version: rev2280 
Subject: Re: Problem with CRYPT+SSL and elog command line entries 

Aaron Couture wrote:

I Aaron Couture wrote:

There was some sloppiness in the original patch--__USE_XOPEN wasn't defined, but worked when elog wasn't compiled alone.  Now the appropriate ifndef/define statements are in elog.c

 

I have attached a possible patch--basically pirated from elogd.c  Because strlcpy needed for the crypt cares about size, do_crypt needed the size, which had not been a concern for base64_encode in elog.c   As a result, base64_encode changed slightly as well.  I think the implementation places a limit of 32 characters on passwords, which seemed to already be the limit in elogd.c  The elog.c limit appeared to be 80 characters.  I tested both SSL and SSL+CRYPT for commandline elog entries with both a logbook specific write password as well as username/password combo in a password file.

 

AJC

 

 

I am in the process of setting up a new ELOG logbook.  I checked out rev2280 from svn.savannah.psi.ch.  I knew I wanted to encrypt passwords, so when I compiled, I used flags

 

USE_SSL=1

and

USE_CRYPT=1

 

I am running Red Hat enterprise linux 3, glibc-devel-2.3.2-95.50, openssl-devel-0.9.7a-33.25

Everything seemed to be working fine--I was able to set up logbooks using both a password file as well as write passwords and make entries to the logs.  Then I tried to use the command line 'elog' to make an entry which failed to both logbooks.

 

/opt/elog/pro/elogd -c /opt/elog/pro/dansce_fancy.cfg -l Demo1 -w <mypassword>

Would change the password in dansce_fancy.cfg and I could make entries through the web interface, but

 

elog -h acouture -s -p 8081 -w <mypassword> -l Demo1 -a Author="Aaron Couture" -a Type=Routine  -m Sampleinfo.txt -x -n 1

failed with

Error: Invalid user name or password

I got the same behaviour when I used a logbook with a user/password pair defined in a password file.

 

When I looked at the output from running elogd with the -v flag, I could see that everything was being received on the server side, but that the password did not agree with the write password in dansce_fancy.cfg

I then recompiled elog with

USE_SSL=1

USE_CRYPT=

And then the elog command line entries worked, both with write passwords and a password file (after recreating the password file and the write password).  Looking at the elog.c source code, it appears that it does not know to use crypt rather then base64_encode when USE_CRYPT is true.  elogd.c defined different behaviour if USE_CRYPT is defined.

 

Thanks,

 

Aaron Couture

 

 

 

 

Attachment 1: elogc.patch  1 kB  | Show | Show all
ELOG V3.1.5-fe60aaf