From owner-freebsd-security  Sun May 26 12:04:50 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id MAA10066
          for security-outgoing; Sun, 26 May 1996 12:04:50 -0700 (PDT)
Received: from apocalypse.superlink.net (root@apocalypse.superlink.net [205.246.27.150])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id MAA10060
          for <freebsd-security@freebsd.org>; Sun, 26 May 1996 12:04:46 -0700 (PDT)
Received: (from marxx@localhost) by apocalypse.superlink.net (8.7.5/8.7.3) id LAA01168; Sun, 26 May 1996 11:14:00 -0400 (EDT)
Date: Sun, 26 May 1996 11:13:59 -0400 (EDT)
From: "Charles C. Figueiredo" <marxx@apocalypse.superlink.net>
To: jamie <batsy@groovy.dreaming.org>
cc: freebsd-security@freebsd.org
Subject: Re: md5
In-Reply-To: <Pine.BSF.3.91.960526134808.1901B-100000@groovy.dreaming.org>
Message-ID: <Pine.BSF.3.91.960526111203.1151A-100000@apocalypse.superlink.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

On Sun, 26 May 1996, jamie wrote:

> 
> I have recently heard rumors of an md5 library for Crack. I have a small 
> number of users on my system (20'ish) and all are ...well...users in the 
> sense that I give them an initial passwd to get to their accounts and 
> they ask me if I can just set it to their userid so they can remember it. 
> I have told them how to change their passwds but I am suspicious that 
> they are using insecure passwds. I haven't implemented cracklib but I am 
> warey that if there is an md5 plug-in for crack, the shadow passwd system 
> is only a minimal defense (unshadow.c). If anyone knows where to find a 

	unshadow.c or any other variant, that attempts to exploit an 
insecuirty in getpwent() is useless. They cannot unshadow your password 
file w/ that, they will attempt other way of compromising root.


> doc or a package I would be very interested in hearing about it.
> Thanks,
> -jamie reid
> 

"I don't want to grow up, I'm a BSD kid. There's so many toys in /usr/bin 
that I can play with!"

------------------------------------------------------------------------------
Charles C. Figueiredo            Marxx                  marxx@superlink.net
------------------------------------------------------------------------------