From owner-freebsd-isp Wed Jul 31 14:02:25 1996 Return-Path: owner-isp Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id OAA26864 for isp-outgoing; Wed, 31 Jul 1996 14:02:25 -0700 (PDT) Received: from mail.multinet.net (helix.multinet.net [204.138.173.21]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id OAA26854; Wed, 31 Jul 1996 14:02:22 -0700 (PDT) Received: from help.multinet.net (help.multinet.net [204.191.112.5]) by mail.multinet.net (8.6.11/8.6.11) with SMTP id UAA18905; Wed, 31 Jul 1996 20:57:22 GMT Message-Id: <199607312057.UAA18905@mail.multinet.net> X-Sender: root@multinet.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 31 Jul 1996 15:11:11 -0400 To: freebsd-isp@freebsd.org From: admin@mail.multinet.net (graydon hoare) Subject: which DES is which? Cc: freebsd-secure@freebsd.org Sender: owner-isp@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Howdy. Got a little query here. I'm running a bunch of netblazers here for dialup and they all use tftp to fetch their passwords from files stored on the old tandem nonstop/UX machine (which runs a pungent at&t DES)... and I'm shortly going to be transferring all this over to the FreeBSD servers. Now I'm in canada, so I know (or think I know) I'm allowed to use DES in all its glory without bending any noses, so I fetched the des package from freefall and had it link up with libcrypt.a and .so.2.0 etc... and sure enough when I passwd any of my test accounts, new short fluffy des-ish passwords show up in /etc/master.passwd. However, I don't know what des-mode libdescrypt is operating in here, and I have a feeling it's the wrong one. If I passwd twice in a row with the same password, I get two different outputs. I was under the impression that the login system crypt(3)'ed your password and then compared the output of that to something stored in the passwd file (or pwd.db in freeBSD's case), and I know that's what the netblazers will do -- fetch the passwd file, des what the user tells them internally, and compare the results as strings... so -- crypto gurus of the world, I mean I know I'm essentially asking for a way to make my password file dictionary-attackable, but I think in this case it's what is required for users to login. How do I fix this, or can you elaborate on why I am seeing this behaviour from libdescrypt? The netblazers understand kerberos as well, unfortunately _I_ don't understand much about kerberos. Would this make an altogether more pleasant situation? ps. I got libdes (the MIT one that comes with the ebones package) dangling around in the /usr/lib so I tried linking libcrypt to libdes and see what happened... it says it can't find the symbol _crypt, which is odd cause the documentation says clearly that MIT libdes impliments "a pretty fast crypt(3)". >?< God I hate export restrictions. This could be so much simpler. -graydon