Date: Mon, 5 Mar 2001 22:06:04 -0800 From: "Robert L Sowders" <rsowders@usgs.gov> To: Tony Landells <ahl@austclear.com.au> Cc: Mikko Tyolajarvi <mikko@dynas.se>, owner-freebsd-questions@FreeBSD.ORG, questions@FreeBSD.ORG, Bill Moran <wmoran@iowna.com> Subject: Re: SUN TO BSD Message-ID: <OF57BD0290.84459EAC-ON88256A07.001DA864@wr.usgs.gov>
next in thread | raw e-mail | index | archive | help
FreeBSD will read the crypted passwd from a Solaris machine.
Try it yourself.
Edit the /etc/master.passwd file on a BSD box and paste in a known crypted
word from a Solaris /etc/shadow file. run pwd_mkdb /etc/master.passwd and
then try to login with the new password. It works for me.
You must run pwd_mkdb to recreate all the secure and insecure db style
databases.
You can then convert the crypted word to a MD5 word by running passwd, or
setting the flag that will require a new passwd at login. That would be
the sixth field of the passwd file (man 5 passwd). Change it from a 0 to
a 1 and it will require a change of passwords at the next login.
I've made simple scripts to build users account from Solaris machines to
freebsd boxes. It's not rocket science but you must make sure that you
have good backups of all files you intend to edit.
Hope this helps. Have fun, I did.
Tony Landells <ahl@austclear.com.au>
Sent by: owner-freebsd-questions@FreeBSD.ORG
03/05/2001 04:10 PM
To: Bill Moran <wmoran@iowna.com>
cc: Mikko Tyolajarvi <mikko@dynas.se>, questions@FreeBSD.ORG
Subject: Re: SUN TO BSD
The traditional UNIX password encryption takes a timestamp of when
the password is set, and uses that as the "salt" (or seed) for the
initial encryption. It then adds this salt to the encrypted string
so it can be retrieved next time you want to check the password.
This means that even if two users pick the same password it should
look different because it was done at a different time.
By default FreeBSD uses MD5 for password encryption. Since this
is a completely different algorithm, the encrypted string bears
nothing more than a passing similarity to "traditionally" (DES)
encrypted strings.
You have the option of getting FreeBSD to use DES encrypted passwords.
If you do that, you can just cut and paste the password field from
/etc/shadow on Solaris into /etc/master.password on FreeBSD.
Most UNIX systems use DES for passwords. I don't know why FreeBSD
switched to MD5--possibly a lack of trust in DES, possibly because
of stupid export laws. I'm sure someone else on the list will provide
a definitive answer.
Cheers,
Tony
Bill Moran wrote:
> Mikko Tyolajarvi wrote:
> >
> > In local.freebsd.questions you write:
> > >I believe this has to do with the system default password encryption
> > >scheme. If both your Solaris & FreeBSD boxes are using the same
> > >encryption scheme you should see the same encryped password. I've
seen
> >
> > Nope. Password encryption schemes adds a "salt" (12 bits for the
> > traditional DES version) to try to avoid passwords encrypting to the
> > same value -- otherwise dictionary attacks become a lot simpler.
>
> Straighten me out on this, then. (if you'd be so kind)
> Do all systems use different password math? If so, how does FreeBSD
> share it's data with Solaris, Linux, et al via NIS? It couldn't be
> sending the passwords in cleartext, because they're not decryptable
> (right?) That would be insane anyway.
>
> I thought you had the option of using DES or MD5 for the password
> storage?
>
> Am I a little off in my understanding of this?
--
Tony Landells <ahl@austclear.com.au>
Senior Network Engineer Ph: +61 3 9677 9319
Australian Clearing Services Pty Ltd Fax: +61
3 9677 9355
Level 4, Rialto North Tower
525 Collins Street
Melbourne VIC 3000
Australia
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?OF57BD0290.84459EAC-ON88256A07.001DA864>