From owner-freebsd-questions Mon Mar 5 22: 6:12 2001 Delivered-To: freebsd-questions@freebsd.org Received: from gscamnlm03.wr.usgs.gov (gscamnlm03.wr.usgs.gov [130.118.4.113]) by hub.freebsd.org (Postfix) with ESMTP id B0F1D37B719; Mon, 5 Mar 2001 22:06:06 -0800 (PST) (envelope-from rsowders@usgs.gov) To: Tony Landells Cc: Mikko Tyolajarvi , owner-freebsd-questions@FreeBSD.ORG, questions@FreeBSD.ORG, Bill Moran Subject: Re: SUN TO BSD X-Mailer: Lotus Notes Release 5.0.3 March 21, 2000 Message-ID: From: "Robert L Sowders" Date: Mon, 5 Mar 2001 22:06:04 -0800 X-MIMETrack: Serialize by Router on gscamnlm03/SERVER/USGS/DOI(Release 5.0.3 |March 21, 2000) at 03/05/2001 10:06:08 PM, Serialize complete at 03/05/2001 10:06:08 PM MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG FreeBSD will read the crypted passwd from a Solaris machine. Try it yourself. Edit the /etc/master.passwd file on a BSD box and paste in a known crypted word from a Solaris /etc/shadow file. run pwd_mkdb /etc/master.passwd and then try to login with the new password. It works for me. You must run pwd_mkdb to recreate all the secure and insecure db style databases. You can then convert the crypted word to a MD5 word by running passwd, or setting the flag that will require a new passwd at login. That would be the sixth field of the passwd file (man 5 passwd). Change it from a 0 to a 1 and it will require a change of passwords at the next login. I've made simple scripts to build users account from Solaris machines to freebsd boxes. It's not rocket science but you must make sure that you have good backups of all files you intend to edit. Hope this helps. Have fun, I did. Tony Landells Sent by: owner-freebsd-questions@FreeBSD.ORG 03/05/2001 04:10 PM To: Bill Moran cc: Mikko Tyolajarvi , questions@FreeBSD.ORG Subject: Re: SUN TO BSD The traditional UNIX password encryption takes a timestamp of when the password is set, and uses that as the "salt" (or seed) for the initial encryption. It then adds this salt to the encrypted string so it can be retrieved next time you want to check the password. This means that even if two users pick the same password it should look different because it was done at a different time. By default FreeBSD uses MD5 for password encryption. Since this is a completely different algorithm, the encrypted string bears nothing more than a passing similarity to "traditionally" (DES) encrypted strings. You have the option of getting FreeBSD to use DES encrypted passwords. If you do that, you can just cut and paste the password field from /etc/shadow on Solaris into /etc/master.password on FreeBSD. Most UNIX systems use DES for passwords. I don't know why FreeBSD switched to MD5--possibly a lack of trust in DES, possibly because of stupid export laws. I'm sure someone else on the list will provide a definitive answer. Cheers, Tony Bill Moran wrote: > Mikko Tyolajarvi wrote: > > > > In local.freebsd.questions you write: > > >I believe this has to do with the system default password encryption > > >scheme. If both your Solaris & FreeBSD boxes are using the same > > >encryption scheme you should see the same encryped password. I've seen > > > > Nope. Password encryption schemes adds a "salt" (12 bits for the > > traditional DES version) to try to avoid passwords encrypting to the > > same value -- otherwise dictionary attacks become a lot simpler. > > Straighten me out on this, then. (if you'd be so kind) > Do all systems use different password math? If so, how does FreeBSD > share it's data with Solaris, Linux, et al via NIS? It couldn't be > sending the passwords in cleartext, because they're not decryptable > (right?) That would be insane anyway. > > I thought you had the option of using DES or MD5 for the password > storage? > > Am I a little off in my understanding of this? -- Tony Landells Senior Network Engineer Ph: +61 3 9677 9319 Australian Clearing Services Pty Ltd Fax: +61 3 9677 9355 Level 4, Rialto North Tower 525 Collins Street Melbourne VIC 3000 Australia To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message