From owner-freebsd-security Sun Jun 2 21:46:29 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id VAA04246 for security-outgoing; Sun, 2 Jun 1996 21:46:29 -0700 (PDT) Received: from groovy.dreaming.org (groovy.dreaming.org [204.92.5.69]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id VAA04241 for ; Sun, 2 Jun 1996 21:46:26 -0700 (PDT) Received: (from batsy@localhost) by groovy.dreaming.org (8.6.12/8.6.12) id AAA03556; Mon, 3 Jun 1996 00:53:46 -0400 Date: Mon, 3 Jun 1996 00:53:46 -0400 (EDT) From: jamie X-Sender: batsy@groovy.dreaming.org To: Matt of the Long Red Hair cc: freebsd-security@FreeBSD.org Subject: Re: MD5 Crack code In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk > Does anyone out there have a patch or even full source code for a Crack > capable of dealing with FreeBSD's MD5 passwd files? In fact it was me that was posting it. Mind you it was for fear of someone using the getpwent() bug (check CERT archives) using ushadow.c. Someone pointed out that I had nothing to fear from that bug. Mind you I am uncomfortable with the idea that there is one out there and I can't find it. Though someone gaining root access on my machine would make the master.passwd file useless in that they could get whatever they wanted and then leave a trojan, there are other ways to get the master passwd file on FreeBSD. These of course are not specific to FreeBSD but common misconfigurations. (i.e NFS, ftp and the like). I think that public knowledge of the existance of a crack would be far more useful to admins than "security through obscurity". There is a good reference to that in Practical Unix Security (O'rielly & Assoc.) and as I remember, it was not a facourable one A fish walks into a bar, completely skewing all laws of probablility in the universe which, subsequently, implodes. Some Guy Named Jamie batsy@groovy.dreaming.org