From owner-freebsd-questions Sun Jul 9 0:33:37 2000 Delivered-To: freebsd-questions@freebsd.org Received: from finland.ispro.net.tr (finland.ispro.net.tr [212.174.120.1]) by hub.freebsd.org (Postfix) with ESMTP id EC1C837C14C for ; Sun, 9 Jul 2000 00:33:30 -0700 (PDT) (envelope-from yurtesen@ispro.net.tr) Received: from localhost (yurtesen@localhost) by finland.ispro.net.tr (8.9.3/8.9.3) with ESMTP id KAA57500; Sun, 9 Jul 2000 10:33:23 +0300 (EEST) (envelope-from yurtesen@ispro.net.tr) Date: Sun, 9 Jul 2000 10:33:23 +0300 (EEST) From: Evren Yurtesen To: cjclark@alum.mit.edu Cc: freebsd-questions@FreeBSD.ORG, cjc@dialin-client.earthlink.net Subject: Re:(2) DES 2 MD5 In-Reply-To: <20000708225519.A185@dialin-client.earthlink.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Well I already made a change to passwd and perl so that the newly generated passwords will have MD5! It was easy hack with some minor problems =) I have DES installed on my system so it can understand MD5 and DES. I also saw /usr/lib/libscrypt.a library which was supposed to be used for MD5 crypt mechanism only. So I linked passwd with /usr/lib/libscrypt.a at compile time. Now every time I change a password of a user the new password comes with MD5 regardless of if old password is DES. The minor problem is if user wants to change his/her password then the password program doesn't work because it asks for the old password first and the MD5 library can't understand DES so it just denies changing the password. I guess the same problem would happen with perl but fortunately we dont have such scripts which checks the password =) I made the same in perl and linked perl to libscrypt.a now the adduser script is also producing passwords in MD5! I assume this is quite practical way to deal with the problem. I searched the mailing lists but people were talking about there is no way to create new passwords with MD5 if you use DES. I see there is one way! =) So I hope this mail would be useful at some degree for people who are migrating from DES to MD5. Plus now we have so fast machines we couldn't have access 2 years ago. I put my entire passwd file to a password cracker program and I got 1/3 of the passwords in 6 hours with a pII-350. I assume pIII-750 would do a lot better though. So there can be made a script to regenerate all the passwords with DES when the password cracking program finishes its job =) Evren On Sat, 8 Jul 2000, Crist J. Clark wrote: > On Sat, Jul 08, 2000 at 01:48:11PM +0300, Evren Yurtesen wrote: > > I have been using DES on my system and I have approx 2000 users > > with DES passwords. Is it possible to make the system create the > > new passwords with MD5 only? unfortunately when I use DES then > > the system recognises the MD5 passwords also but the other way > > around is not working. (well didnt work when I tried last) > > > > How can I make simple programs like passwd and adduser to create > > these passwords as MD5 even though I use DES? Or should I use > > brute force to find out all passwords and then encrypt them > > again???!?!? > > This comes up from time to time and there is presently no easy way to > convert a user who has a DES password to MD5. With the descrypt > libraries, passwd(1) defaults new passwords to DES and will keep a DES > password DES and a MD5 stays MD5. The scrypt library only understands > MD5. > > Hacking some kind of switch into passwd(1) so that it will (a) default > new users one way or the other and (b) make all changed passwords move > to one or the other via some switch (/etc/passwd.conf or an entry in > login.conf) would be very useful. Even if the hack is not pretty, > sending in patches with a change-request PR might get things moving. > > That said, here is a very ugly, but quick approach: > > (1) User successfully logs in with current DES password. > > (2) User uses your special 'newpasswd' wrapper. > > (3) The newpasswd wrapper puts a dummy entry in master.passwd that > will trick passwd(1) into thinking the user has a MD5 password. > > (4) The wrapper starts passwd(1) and the user sets a new MD5 > password. > > This could be scripted or in C. However, it needs root privs so all of > the caveats about suid scripts and programs are implied. > -- > Crist J. Clark cjclark@alum.mit.edu > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message