Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 15 Jun 1999 19:15:50 +0300
From:      Evren Yurtesen <yurtesen@ispro.net.tr>
To:        Holtor <holtor@yahoo.com>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: DES & MD5?
Message-ID:  <37667C35.68E9E594@ispro.net.tr>
References:  <19990615104334.23910.rocketmail@web128.yahoomail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Hello,
I think when you use MD5 or DES you can still have different kind of
passwords in your password file.
I have found this when I accidentally changed from DES to MD5 at an
installation and it was working (we did not even understand the
difference
till we saw the long passwords in the password file!)
but I do not know if it would work on your system, or if you are using
special programs which may get effected from the change...

let me give you a MD5 string for you to try.
$1$kBCe/$LdWM8ViTcI4PTPTUJ5aCF1
the password is        md5test
just create a user and use chfn to set user details
chfn username
put this string into the password field when you get into user details
then you can try to login using the password md5test
and you will see that it will work even though when you are using DES
your system can handle MD5 encryption algorithm.

there is some information about DES and MD5
http://www.freebsd.org/handbook/security.html#CRYPT
----------------------------------------------------------------
For example, on a system using the DES versions:
    % ls -l /usr/lib/libcrypt*
    lrwxr-xr-x  1 root  wheel  13 Mar 19 06:56 libcrypt.a ->
libdescrypt.a
    lrwxr-xr-x  1 root  wheel  18 Mar 19 06:56 libcrypt.so.2.0 ->
libdescrypt.so.2.0
    lrwxr-xr-x  1 root  wheel  15 Mar 19 06:56 libcrypt_p.a ->
libdescrypt_p.a

On a system using the MD5-based libraries, the same links will be
present, but the target will be libscrypt rather than
libdescrypt.
----------------------------------------------------------------
according to this text if you just change the links your system will
start to produce
MD5 passwords on new accounts (but I think if you change the password of
an
account it still produces DES if the previous encryption algorithm was
DES, if the
account had an MD5 password it will still have an MD5 password after you
change
the password with passwd.)

Holtor wrote:

> So there really is no easy way to convert.
> I just wanted to move everything to MD5.
> Then just go in, and change each users password
> and e-mail them all. I'm really not an expert
> with hacking source code, i know i'd probably screw
> it up horribly. My original intent was that if someone
> broke in, I figure MD5 passwords would be harder
> to break.
>
> Holt
>
> --- Poul-Henning Kamp <phk@critter.freebsd.dk> wrote:
> > In message
> > <199906150658.AAA90712@harmony.village.org>, Warner
> > Losh writes:
> > >In message <5182.929429344@critter.freebsd.dk>
> > Poul-Henning Kamp writes:
> > >: Uhm, sorry Warner, but that is not true.  A brute
> > force attack on
> > >: MD5 is many orders of magnitude slower than on
> > DES.
> > >
> > >Wouldn't that cause lots of messages to be logged
> > about failed login
> > >attempts?  I was talking about the case where no
> > one can get the
> > >encrypted passwords.  I do suppose this assumes
> > that all the programs
> > >that do login verification do syslogs failures...
> >
> > Which I must admit I have never verified that they
> > do.  I don't
> > think a brute force attack without the scrambled
> > passwords is
> > sufficiently feasible to be attempted, for one thing
> > you reveal
> > your source-IP or tty/terminal identity, but even
> > so, MD5 takes
> > longer to computer than DES.
> >
> > >I agree that MD5 is better when the possibility of
> > disclosure of the
> > >encrypted passwords exists...
> >
> > Which it always does, it's only a matter of at which
> > probability.
> >
> > --
> > Poul-Henning Kamp             FreeBSD coreteam
> > member
> > phk@FreeBSD.ORG               "Real hackers run
> > -current on their laptop."
> > FreeBSD -- It will take a long time before progress
> > goes too far!
> >
>
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?37667C35.68E9E594>