Date: Thu, 7 Jun 2001 20:49:29 +0200 From: "Karsten W. Rohrbach" <karsten@rohrbach.de> To: David Miner <david@slis-two.lis.fsu.edu> Cc: edwin chan <huacheng@public.guangzhou.gd.cn>, Olivier Nicole <Olivier.Nicole@ait.ac.th>, freebsd-security@FreeBSD.ORG Subject: Re: Encrypted passwords Message-ID: <20010607204929.U59617@mail.webmonster.de> In-Reply-To: <Pine.BSF.4.30_heb2.09.0106071439270.64212-100000@slis-two.lis.fsu.edu>; from david@slis-two.lis.fsu.edu on Thu, Jun 07, 2001 at 02:41:57PM -0400 References: <20010607202014.S59617@mail.webmonster.de> <Pine.BSF.4.30_heb2.09.0106071439270.64212-100000@slis-two.lis.fsu.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
David Miner(david@slis-two.lis.fsu.edu)@2001.06.07 14:41:57 +0000:
> On Thu, 7 Jun 2001, Karsten W. Rohrbach wrote:
>
> > a simple script using pwgen(1) from the ports collection to generate the
> > cleartext password, using pw(8)'s instrumentation for passing a password
> > to it via filehandle would simplify things a bit, i think.
> > /k
> >
> It's not the generation of the passwords that is the problem. It's the
> encryption.
why bother encrypting the password if you already have instrumentation
in the base system for that?
you could create the account and use system() with pw -u user -h
whatever piping a cleartext password into it, having the system care for
the correct encryption (be it MD5 or 3DES or blowfish or whatever).
i did exactly this on a mass-hosting system until we switched it to a
different, ldap based, login system with direct application support
(e.g. no real accounts, everything is one uid, validation is done in the
ftp servers etc).
from pw(1):
---
-h fd This option provides a special interface by which interac-
tive scripts can set an account password using pw. Because
the command line and environment are fundamentally insecure
mechanisms by which programs can accept information, pw
will only allow setting of account and group passwords via
a file descriptor (usually a pipe between an interactive
script and the program). sh, bash, ksh and perl all pos-
sess mechanisms by which this can be done. Alternatively,
pw will prompt for the user's password if -h 0 is given,
nominating stdin as the file descriptor on which to read
the password. Note that this password will be read only
once and is intended for use by a script rather than for
interactive use. If you wish to have new password confir-
mation along the lines of passwd(1), this must be imple-
mented as part of an interactive script that calls pw.
If a value of `-' is given as the argument fd, then the
password will be set to `*', rendering the account inacces-
sible via password-based login.
---
/k
>
> I put print statements into the program, created two users, and check
> vipw.
>
> These are the outputs:
>
> entries in pwd.db:
>
> try-1:wUe7aHIXK/8O.:1260:1337::0:0:LIStry-1:/usr/try-1:/bin/csh
> try-2:tgx8fwK0d6cQM:1261:1338::0:0:LIStry-2:/usr/try-2:/bin/csh
>
> Program output:
>
> Enter password file name: pw7
> Password file read
> Enter path to home directories: /usr
> Enter class name: try
> Enter first number wanted: 1
> Enter number of users wanted: 2
> try-1 chock1
>
> wUlVdJxRtry-1 /usr/try-1 wUe7aHIXK/8O.
> chpass: updating the database...
> chpass: done
> try-2 chock1
>
> tgtM0gIZtry-2 /usr/try-2 tgx8fwK0d6cQM
> chpass: updating the database...
> chpass: done
>
> Notice that the encrypted password from the program appears to be the same
> as reported in vipw. But the user cannot login with the password.
>
> David
> ---------------------------------------------------------------------
> David R. Miner miner@lis.fsu.edu
> Systems Integrator voice: 850-644-8107
> School of Information Studies fax: 850-644-6253
> Florida State University
> Tallahassee, FL 32306-2100
>
>
--
> Vegetarians for oral sex -- "The only meat that's fit to eat"
KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie
http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/
karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de
GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE7H8y5M0BPTilkv0YRAnziAKCMVyU2hHSwcGUK8OUEhYxoT0oZxgCeOmz/
dtQVmSLRAkcCw2rugGtKM/0=
=jCfg
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010607204929.U59617>