Pound symbol as part of password not being accepted

Scranton,Richard scrantor at oclc.org
Thu Apr 10 12:26:11 EDT 2014 

Perhaps you are seeing an artifact of how some OS's encrypt and store passwords?

FreeBSD and Cisco IOS at least, and many "traditional" Unix variants store passwords
using a $ as a field delimiter for the various parts of the hash field in /etc/passwd.

Consider the example used by www.question-defense.com in their nice write-up:

	$1$c7We$oWwyT8o77NKC.4FfDlDNV0

$1$ indicates use of the default hash algorithm, in this case MD5.
$c7We$ is the base64-encoded hash salt  (IOS uses 4 bytes, FreeBSD uses 8)
$oWwyT8o77NKC.4FfDlDNV0 is the base64-encoded MD5 hash of salt+password

It seems like an unlikely bug, but there have other weirder ones.  The usual
login handler has been replaced in the XML fragment earlier in the thread.

Richard Scranton
Consulting Systems Engineer
OCLC, Inc.


-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of John Baker
Sent: Wednesday, April 09, 2014 9:52 AM
To: 'Shib Users'
Subject: RE: Pound symbol as part of password not being accepted

Hi

We had a similar problem with authentication, not Shibboleth, which was found to be caused
by our WiFi network  not accepting the £ or $ symbols in passwords for passing on for authentication.

John Baker
ICT Operations Manager
Tel: 01472 875000     Ext: 722     Fax: 01472 875019



-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Morris, Andi
Sent: 09 April 2014 13:47
To: 'Shib Users'
Subject: RE: Pound symbol as part of password not being accepted

To bump and old thread, I'm still getting this issue.

I've added " AddDefaultCharset utf-8" to the bottom of my httpd.conf file in Apache 2.2.17, and also " URIEncoding="UTF-8"" into the 8080 and 8443 connectors in TomCat6.0's server.xml.

The server was restarted after the changes were made, however the problem is not resolved.

I have found https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthUserPass which suggests that I can accept these characters by adding the following to my login.jsp and rebuild the package:
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1" >

However, I'm not sure whether this will apply to me, as my username/password login handler in handler.xml is commented out, in favour of ph:RemoteUser and ph:PreviousSession 

    <!-- Login Handlers -->
    <ph:LoginHandler xsi:type="ph:RemoteUser">
        <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</ph:AuthenticationMethod>
    </ph:LoginHandler>
    <!--  Username/password login handler -->
    <!-- 
    <ph:LoginHandler xsi:type="ph:UsernamePassword" 
                  jaasConfigurationLocation="file://C:\Program Files (x86)\shibboleth-idp/conf/login.config">
        <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod>
    </ph:LoginHandler>
    -->
    <!-- 
        Removal of this login handler will disable SSO support, that is it will require the user to authenticate 
        on every request.
    -->
    <ph:LoginHandler xsi:type="ph:PreviousSession">
        <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession</ph:AuthenticationMethod>
    </ph:LoginHandler>

Does anyone think that adding this line in to the login.jsp and rebuilding will actually help me get rid of this issue?

Cheers,
Andi

-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: 26 September 2013 14:53
To: Shib Users
Subject: Re: Pound symbol as part of password not being accepted

On 9/26/13 8:48 AM, "Morris, Andi" <amorris at cardiffmet.ac.uk> wrote:

>We¹ve just come across an odd problem here where a user could log into 
>all our remote resources apart from the shibboleth authenticated ones.
>Upon investigation I could see in the Apache ssl_443_error_log file 
>that the user was being denied  access with an ³unknown user name or 
>bad password² error. I could see that the username being typed was 
>correct from the same log file, and just on a hunch I decided to change 
>the password of the user from something that contained the £ symbol to 
>something  that didn¹t, and suddenly access was granted.
> 
>Does anybody know the reason for this, and how I can resolve it?

Not really, but seems like some kind of encoding issue between the browser and the web server most likely.
You'd have to make sure everything is in sync on that, including IIRC some settings on the Tomcat connector
to control how it handles data coming in.

-- Scott

--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list