search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
18.08k stars 14.08k forks source link

ocserv: "error in crypt()" in ocpasswd #333428

Open AtaraxiaSjel opened 2 months ago

AtaraxiaSjel commented 2 months ago

Describe the bug

When attempting to create a .passwd file using the ocpasswd utility from the ocserv package (OpenConnect VPN Server), I encounter the following error:

> ocpasswd -c sample.passwd example
Enter password: 
Re-enter password: 
Error in crypt().

Steps To Reproduce

Steps to reproduce the behavior:

  1. nix shell nixpkgs#ocserv
  2. ocpasswd -c sample.passwd example

Expected behavior

The ocpasswd utility should create the .passwd file without throwing any errors when provided with valid input.

Notify maintainers

@NeverBehave

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

> nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 6.10.3-lqx1, NixOS, 24.11 (Vicuna), 24.11pre-git`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Lix, like Nix) 2.90.0`
 - nixpkgs: `/etc/nixpkgs`

Add a :+1: reaction to issues you find important.

AtaraxiaSjel commented 2 months ago

For now I am using bcrypt hashing with htpasswd:

> htpasswd -B -c sample.passwd example
New password: 
Re-type new password: 
Adding password for user example

and then add user group in .passwd file:

-example:$2y$05$6.wxVQbEkD4C7XzJUc/I8.RVd4PZBOUI8olIFuaGBWG7pa78ylXa6
+example:*:$2y$05$6.wxVQbEkD4C7XzJUc/I8.RVd4PZBOUI8olIFuaGBWG7pa78ylXa6

Interestingly, if I am using SHA-256 hashing with htpasswd I got:

> htpasswd -2 -c sample.passwd example
New password: 
Re-type new password: 
htpasswd: crypt() failed: Invalid argument

Maybe something isn't right with my system configuration, but I don't know how to trace the problem.

NeverBehave commented 2 months ago

I can reproduce this, and did a quick investigate. Since the error message report crypt, strace log strace -f -t -e trace=file ocpasswd -c sample.passwd example shows related file access:

Source Code of ocserv error: https://gitlab.com/openconnect/ocserv/-/blob/master/src/ocpasswd/ocpasswd.c#L90

21:30:32 openat(AT_FDCWD, "/nix/store/1wr8mikf74g6an6vr1z6qvn78dr9dvr9-gnutls-3.8.6/lib/libgnutls.so.30", O_RDONLY|O_CLOEXEC) = 3
21:30:32 openat(AT_FDCWD, "glibc-hwcaps/x86-64-v4/libcrypt.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
21:30:32 openat(AT_FDCWD, "glibc-hwcaps/x86-64-v3/libcrypt.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
21:30:32 openat(AT_FDCWD, "glibc-hwcaps/x86-64-v2/libcrypt.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
21:30:32 openat(AT_FDCWD, "libcrypt.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
21:30:32 openat(AT_FDCWD, "/nix/store/1wr8mikf74g6an6vr1z6qvn78dr9dvr9-gnutls-3.8.6/lib/libcrypt.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
21:30:32 openat(AT_FDCWD, "/nix/store/x4fcfybybnq78sm8n1fw6jddyfkvc4kg-nettle-3.10/lib/glibc-hwcaps/x86-64-v4/libcrypt.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
21:30:32 newfstatat(AT_FDCWD, "/nix/store/x4fcfybybnq78sm8n1fw6jddyfkvc4kg-nettle-3.10/lib/glibc-hwcaps/x86-64-v4/", 0x7ffe48958b00, 0) = -1 ENOENT (No such file or directory)
21:30:32 openat(AT_FDCWD, "/nix/store/x4fcfybybnq78sm8n1fw6jddyfkvc4kg-nettle-3.10/lib/glibc-hwcaps/x86-64-v3/libcrypt.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
21:30:32 newfstatat(AT_FDCWD, "/nix/store/x4fcfybybnq78sm8n1fw6jddyfkvc4kg-nettle-3.10/lib/glibc-hwcaps/x86-64-v3/", 0x7ffe48958b00, 0) = -1 ENOENT (No such file or directory)
21:30:32 openat(AT_FDCWD, "/nix/store/x4fcfybybnq78sm8n1fw6jddyfkvc4kg-nettle-3.10/lib/glibc-hwcaps/x86-64-v2/libcrypt.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
21:30:32 newfstatat(AT_FDCWD, "/nix/store/x4fcfybybnq78sm8n1fw6jddyfkvc4kg-nettle-3.10/lib/glibc-hwcaps/x86-64-v2/", 0x7ffe48958b00, 0) = -1 ENOENT (No such file or directory)
21:30:32 openat(AT_FDCWD, "/nix/store/x4fcfybybnq78sm8n1fw6jddyfkvc4kg-nettle-3.10/lib/libcrypt.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
21:30:32 newfstatat(AT_FDCWD, "/nix/store/x4fcfybybnq78sm8n1fw6jddyfkvc4kg-nettle-3.10/lib/", {st_mode=S_IFDIR|0555, st_size=4096, ...}, 0) = 0
21:30:32 openat(AT_FDCWD, "/nix/store/f63r6sdyy30wm0pv57zn19riib7xa3zj-libxcrypt-4.4.36/lib/glibc-hwcaps/x86-64-v4/libcrypt.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
21:30:32 newfstatat(AT_FDCWD, "/nix/store/f63r6sdyy30wm0pv57zn19riib7xa3zj-libxcrypt-4.4.36/lib/glibc-hwcaps/x86-64-v4/", 0x7ffe48958b00, 0) = -1 ENOENT (No such file or directory)
21:30:32 openat(AT_FDCWD, "/nix/store/f63r6sdyy30wm0pv57zn19riib7xa3zj-libxcrypt-4.4.36/lib/glibc-hwcaps/x86-64-v3/libcrypt.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
21:30:32 newfstatat(AT_FDCWD, "/nix/store/f63r6sdyy30wm0pv57zn19riib7xa3zj-libxcrypt-4.4.36/lib/glibc-hwcaps/x86-64-v3/", 0x7ffe48958b00, 0) = -1 ENOENT (No such file or directory)
21:30:32 openat(AT_FDCWD, "/nix/store/f63r6sdyy30wm0pv57zn19riib7xa3zj-libxcrypt-4.4.36/lib/glibc-hwcaps/x86-64-v2/libcrypt.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
21:30:32 newfstatat(AT_FDCWD, "/nix/store/f63r6sdyy30wm0pv57zn19riib7xa3zj-libxcrypt-4.4.36/lib/glibc-hwcaps/x86-64-v2/", 0x7ffe48958b00, 0) = -1 ENOENT (No such file or directory)
21:30:32 openat(AT_FDCWD, "/nix/store/f63r6sdyy30wm0pv57zn19riib7xa3zj-libxcrypt-4.4.36/lib/libcrypt.so.2", O_RDONLY|O_CLOEXEC) = 3

htaccess

21:29:38 openat(AT_FDCWD, "glibc-hwcaps/x86-64-v4/libcrypt.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
21:29:38 openat(AT_FDCWD, "glibc-hwcaps/x86-64-v3/libcrypt.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
21:29:38 openat(AT_FDCWD, "glibc-hwcaps/x86-64-v2/libcrypt.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
21:29:38 openat(AT_FDCWD, "libcrypt.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
21:29:38 openat(AT_FDCWD, "/nix/store/p33l0xw7sgarkngk4q41facqmvpzp021-apr-util-1.6.3/lib/libcrypt.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
21:29:38 openat(AT_FDCWD, "/nix/store/b1afc9wlkpgwz23s9a3mf4iqmgpwghg7-db-5.3.28/lib/libcrypt.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
21:29:38 openat(AT_FDCWD, "/nix/store/imfgi4alsdsqx0p7v6x446y7732dmy0m-expat-2.6.2/lib/libcrypt.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
21:29:38 openat(AT_FDCWD, "/nix/store/90pmd54y331cwb1pc941gvd1g7jwyjbh-apr-1.7.4/lib/libcrypt.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
21:29:38 openat(AT_FDCWD, "/nix/store/f63r6sdyy30wm0pv57zn19riib7xa3zj-libxcrypt-4.4.36/lib/libcrypt.so.2", O_RDONLY|O_CLOEXEC) = 3

might be some upstream issue but I didn't lookin too much.

tywtyw2002 commented 1 month ago

I had same issue with nix@cfd6b5fc90b15709b780a5a1619695a88505a176.

ocpasswd and ocserv unable to use the file password as auth method. The ocserv will failed when auth with password due to this error.

The actually error code for crypt() is 22 EINVAL.

tywtyw2002 commented 1 month ago

I can reproduce this, and did a quick investigate. Since the error message report crypt, strace log strace -f -t -e trace=file ocpasswd -c sample.passwd example shows related file access:

Source Code of ocserv error: gitlab.com/openconnect/ocserv/-/blob/master/src/ocpasswd/ocpasswd.c#L90

21:30:32 openat(AT_FDCWD, "/nix/store/1wr8mikf74g6an6vr1z6qvn78dr9dvr9-gnutls-3.8.6/lib/libgnutls.so.30", O_RDONLY|O_CLOEXEC) = 3
21:30:32 openat(AT_FDCWD, "glibc-hwcaps/x86-64-v4/libcrypt.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
21:30:32 openat(AT_FDCWD, "glibc-hwcaps/x86-64-v3/libcrypt.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
21:30:32 openat(AT_FDCWD, "glibc-hwcaps/x86-64-v2/libcrypt.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
21:30:32 openat(AT_FDCWD, "libcrypt.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
21:30:32 openat(AT_FDCWD, "/nix/store/1wr8mikf74g6an6vr1z6qvn78dr9dvr9-gnutls-3.8.6/lib/libcrypt.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
21:30:32 openat(AT_FDCWD, "/nix/store/x4fcfybybnq78sm8n1fw6jddyfkvc4kg-nettle-3.10/lib/glibc-hwcaps/x86-64-v4/libcrypt.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
21:30:32 newfstatat(AT_FDCWD, "/nix/store/x4fcfybybnq78sm8n1fw6jddyfkvc4kg-nettle-3.10/lib/glibc-hwcaps/x86-64-v4/", 0x7ffe48958b00, 0) = -1 ENOENT (No such file or directory)
21:30:32 openat(AT_FDCWD, "/nix/store/x4fcfybybnq78sm8n1fw6jddyfkvc4kg-nettle-3.10/lib/glibc-hwcaps/x86-64-v3/libcrypt.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
21:30:32 newfstatat(AT_FDCWD, "/nix/store/x4fcfybybnq78sm8n1fw6jddyfkvc4kg-nettle-3.10/lib/glibc-hwcaps/x86-64-v3/", 0x7ffe48958b00, 0) = -1 ENOENT (No such file or directory)
21:30:32 openat(AT_FDCWD, "/nix/store/x4fcfybybnq78sm8n1fw6jddyfkvc4kg-nettle-3.10/lib/glibc-hwcaps/x86-64-v2/libcrypt.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
21:30:32 newfstatat(AT_FDCWD, "/nix/store/x4fcfybybnq78sm8n1fw6jddyfkvc4kg-nettle-3.10/lib/glibc-hwcaps/x86-64-v2/", 0x7ffe48958b00, 0) = -1 ENOENT (No such file or directory)
21:30:32 openat(AT_FDCWD, "/nix/store/x4fcfybybnq78sm8n1fw6jddyfkvc4kg-nettle-3.10/lib/libcrypt.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
21:30:32 newfstatat(AT_FDCWD, "/nix/store/x4fcfybybnq78sm8n1fw6jddyfkvc4kg-nettle-3.10/lib/", {st_mode=S_IFDIR|0555, st_size=4096, ...}, 0) = 0
21:30:32 openat(AT_FDCWD, "/nix/store/f63r6sdyy30wm0pv57zn19riib7xa3zj-libxcrypt-4.4.36/lib/glibc-hwcaps/x86-64-v4/libcrypt.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
21:30:32 newfstatat(AT_FDCWD, "/nix/store/f63r6sdyy30wm0pv57zn19riib7xa3zj-libxcrypt-4.4.36/lib/glibc-hwcaps/x86-64-v4/", 0x7ffe48958b00, 0) = -1 ENOENT (No such file or directory)
21:30:32 openat(AT_FDCWD, "/nix/store/f63r6sdyy30wm0pv57zn19riib7xa3zj-libxcrypt-4.4.36/lib/glibc-hwcaps/x86-64-v3/libcrypt.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
21:30:32 newfstatat(AT_FDCWD, "/nix/store/f63r6sdyy30wm0pv57zn19riib7xa3zj-libxcrypt-4.4.36/lib/glibc-hwcaps/x86-64-v3/", 0x7ffe48958b00, 0) = -1 ENOENT (No such file or directory)
21:30:32 openat(AT_FDCWD, "/nix/store/f63r6sdyy30wm0pv57zn19riib7xa3zj-libxcrypt-4.4.36/lib/glibc-hwcaps/x86-64-v2/libcrypt.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
21:30:32 newfstatat(AT_FDCWD, "/nix/store/f63r6sdyy30wm0pv57zn19riib7xa3zj-libxcrypt-4.4.36/lib/glibc-hwcaps/x86-64-v2/", 0x7ffe48958b00, 0) = -1 ENOENT (No such file or directory)
21:30:32 openat(AT_FDCWD, "/nix/store/f63r6sdyy30wm0pv57zn19riib7xa3zj-libxcrypt-4.4.36/lib/libcrypt.so.2", O_RDONLY|O_CLOEXEC) = 3

htaccess

21:29:38 openat(AT_FDCWD, "glibc-hwcaps/x86-64-v4/libcrypt.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
21:29:38 openat(AT_FDCWD, "glibc-hwcaps/x86-64-v3/libcrypt.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
21:29:38 openat(AT_FDCWD, "glibc-hwcaps/x86-64-v2/libcrypt.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
21:29:38 openat(AT_FDCWD, "libcrypt.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
21:29:38 openat(AT_FDCWD, "/nix/store/p33l0xw7sgarkngk4q41facqmvpzp021-apr-util-1.6.3/lib/libcrypt.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
21:29:38 openat(AT_FDCWD, "/nix/store/b1afc9wlkpgwz23s9a3mf4iqmgpwghg7-db-5.3.28/lib/libcrypt.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
21:29:38 openat(AT_FDCWD, "/nix/store/imfgi4alsdsqx0p7v6x446y7732dmy0m-expat-2.6.2/lib/libcrypt.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
21:29:38 openat(AT_FDCWD, "/nix/store/90pmd54y331cwb1pc941gvd1g7jwyjbh-apr-1.7.4/lib/libcrypt.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
21:29:38 openat(AT_FDCWD, "/nix/store/f63r6sdyy30wm0pv57zn19riib7xa3zj-libxcrypt-4.4.36/lib/libcrypt.so.2", O_RDONLY|O_CLOEXEC) = 3

might be some upstream issue but I didn't lookin too much.

I did some test yesterday, it seems like the libxcrypt issue. $1$, $2$ and $5$ Method are broken.

The ocpasswd only use 1, 2, 5 to do the encrypt.

The nixpkgs mkpasswd(https://search.nixos.org/packages?channel=24.05&from=0&size=50&sort=relevance&type=packages&query=mkpasswd) use the libxcrypt and also report error for md5 & sha256crypt method.

Same as python3.12.

$ /nix/store/pgb120fb7srbh418v4i2a70aq1w9dawd-python3-3.12.5/bin/python3
Python 3.12.5 (main, Aug  6 2024, 19:08:49) [GCC 13.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import crypt
<stdin>:1: DeprecationWarning: 'crypt' is deprecated and slated for removal in Python 3.13
>>> crypt.crypt("123", "$5$bA0bApbTjvIgCg7P")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/nix/store/pgb120fb7srbh418v4i2a70aq1w9dawd-python3-3.12.5/lib/python3.12/crypt.py", line 86, in crypt
    return _crypt.crypt(word, salt)
           ^^^^^^^^^^^^^^^^^^^^^^^^
OSError: [Errno 22] Invalid argument
>>> crypt.crypt("123", "$2$bA0bApbTjvIgCg7P")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/nix/store/pgb120fb7srbh418v4i2a70aq1w9dawd-python3-3.12.5/lib/python3.12/crypt.py", line 86, in crypt
    return _crypt.crypt(word, salt)
           ^^^^^^^^^^^^^^^^^^^^^^^^
OSError: [Errno 22] Invalid argument
>>> crypt.crypt("123", "$1$bA0bApbTjvIgCg7P")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/nix/store/pgb120fb7srbh418v4i2a70aq1w9dawd-python3-3.12.5/lib/python3.12/crypt.py", line 86, in crypt
    return _crypt.crypt(word, salt)
           ^^^^^^^^^^^^^^^^^^^^^^^^
OSError: [Errno 22] Invalid argument
>>> crypt.crypt("123", "$6$bA0bApbTjvIgCg7P")
'$6$bA0bApbTjvIgCg7P$N8dfSKlWheTTtrN/F/3ugNnJCvyMNkQ/vpCSSp8YmNaA32xTY6p7CAidgaPnOfXZV.Reox6mhModMV9qvieR8.'
>>>
# nix-store --query --referrers /nix/store/318mmrb90gssqssn14mckr66akdwbfyz-libxcrypt-4.4.36
/nix/store/318mmrb90gssqssn14mckr66akdwbfyz-libxcrypt-4.4.36
/nix/store/s5kf20wyv8csr0vj8aj0m2hhr20f0rs7-cyrus-sasl-2.1.28
/nix/store/0zk7nwh40ndhmbzky9lcc0fs7a3hfn1w-openldap-2.6.8
/nix/store/pvvl9vw8rvnjgn8w1mbc8jh7yxrk4a20-linux-pam-1.6.1
/nix/store/cbwpiv6bxw80s06jrz76hq4paypb5jjb-tcb-1.2
/nix/store/52aqpaam41zwyjf799dqgipim4vk89qq-shadow-4.16.0
/nix/store/1garri5ldb9h4c48lachaw8yal9sjks4-shadow-4.16.0-su
/nix/store/2fz57idijyzir2pxm1rhncpic4p13drx-guile-3.0.10
/nix/store/606lz6hylh49mz0av2qvxzc2ap64j1k4-ocserv-1.3.0
/nix/store/yw4mx15ph38cfs5r0gwkgbhbpkb12by7-util-linux-minimal-2.39.4-login
/nix/store/b11is5q9wgl4jjqs43x9qi22kljvpydj-systemd-256.4
/nix/store/g4b1gjgjm838pbjahdmhp65ly9zmijsg-util-linux-2.39.4-login
/nix/store/mhw4xvn26znfsjbhl3vkh2j93cf5zxai-guile-3.0.10-dev
/nix/store/pgb120fb7srbh418v4i2a70aq1w9dawd-python3-3.12.5
/nix/store/q4nx5l51ps5jdchzilccc6997mnhli5m-pam_ssh_agent_auth-0.10.4
/nix/store/vxsylb3b27z4l4mwjhpaznjcsbwxsfwi-perl-5.38.2
/nix/store/ypji0gz47f97x64d92amdlb2bgz1qdm7-mkpasswd-5.5.23
/nix/store/z4lwfch32dg556qrm87dqka5i3b3swr4-systemd-minimal-256.4
/nix/store/zrrw06xpd4wa7vkh31pc203ska5qp2m4-ocserv-1.3.0