Date: Wed, 31 Jul 1996 15:11:11 -0400 From: admin@mail.multinet.net (graydon hoare) To: freebsd-isp@freebsd.org Cc: freebsd-secure@freebsd.org Subject: which DES is which? Message-ID: <199607312057.UAA18905@mail.multinet.net>
next in thread | raw e-mail | index | archive | help
Howdy. Got a little query here. I'm running a bunch of netblazers here for dialup and they all use tftp to fetch their passwords from files stored on the old tandem nonstop/UX machine (which runs a pungent at&t DES)... and I'm shortly going to be transferring all this over to the FreeBSD servers. Now I'm in canada, so I know (or think I know) I'm allowed to use DES in all its glory without bending any noses, so I fetched the des package from freefall and had it link up with libcrypt.a and .so.2.0 etc... and sure enough when I passwd any of my test accounts, new short fluffy des-ish passwords show up in /etc/master.passwd. However, I don't know what des-mode libdescrypt is operating in here, and I have a feeling it's the wrong one. If I passwd twice in a row with the same password, I get two different outputs. I was under the impression that the login system crypt(3)'ed your password and then compared the output of that to something stored in the passwd file (or pwd.db in freeBSD's case), and I know that's what the netblazers will do -- fetch the passwd file, des what the user tells them internally, and compare the results as strings... so -- crypto gurus of the world, I mean I know I'm essentially asking for a way to make my password file dictionary-attackable, but I think in this case it's what is required for users to login. How do I fix this, or can you elaborate on why I am seeing this behaviour from libdescrypt? The netblazers understand kerberos as well, unfortunately _I_ don't understand much about kerberos. Would this make an altogether more pleasant situation? ps. I got libdes (the MIT one that comes with the ebones package) dangling around in the /usr/lib so I tried linking libcrypt to libdes and see what happened... it says it can't find the symbol _crypt, which is odd cause the documentation says clearly that MIT libdes impliments "a pretty fast crypt(3)". >?< God I hate export restrictions. This could be so much simpler. -graydon <admin@multinet.net>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199607312057.UAA18905>