Date: Thu, 7 Jun 2001 20:49:29 +0200 From: "Karsten W. Rohrbach" <karsten@rohrbach.de> To: David Miner <david@slis-two.lis.fsu.edu> Cc: edwin chan <huacheng@public.guangzhou.gd.cn>, Olivier Nicole <Olivier.Nicole@ait.ac.th>, freebsd-security@FreeBSD.ORG Subject: Re: Encrypted passwords Message-ID: <20010607204929.U59617@mail.webmonster.de> In-Reply-To: <Pine.BSF.4.30_heb2.09.0106071439270.64212-100000@slis-two.lis.fsu.edu>; from david@slis-two.lis.fsu.edu on Thu, Jun 07, 2001 at 02:41:57PM -0400 References: <20010607202014.S59617@mail.webmonster.de> <Pine.BSF.4.30_heb2.09.0106071439270.64212-100000@slis-two.lis.fsu.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
--rNtUoUA3Tn0/N1iC Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable David Miner(david@slis-two.lis.fsu.edu)@2001.06.07 14:41:57 +0000: > On Thu, 7 Jun 2001, Karsten W. Rohrbach wrote: >=20 > > a simple script using pwgen(1) from the ports collection to generate the > > cleartext password, using pw(8)'s instrumentation for passing a password > > to it via filehandle would simplify things a bit, i think. > > /k > > > It's not the generation of the passwords that is the problem. It's the > encryption. why bother encrypting the password if you already have instrumentation in the base system for that? you could create the account and use system() with pw -u user -h whatever piping a cleartext password into it, having the system care for the correct encryption (be it MD5 or 3DES or blowfish or whatever). i did exactly this on a mass-hosting system until we switched it to a different, ldap based, login system with direct application support (e.g. no real accounts, everything is one uid, validation is done in the ftp servers etc). from pw(1): --- -h fd This option provides a special interface by which intera= c- tive scripts can set an account password using pw. Beca= use the command line and environment are fundamentally insec= ure mechanisms by which programs can accept information, pw will only allow setting of account and group passwords v= ia a file descriptor (usually a pipe between an interactive script and the program). sh, bash, ksh and perl all pos- sess mechanisms by which this can be done. Alternativel= y, pw will prompt for the user's password if -h 0 is given, nominating stdin as the file descriptor on which to read the password. Note that this password will be read only once and is intended for use by a script rather than for interactive use. If you wish to have new password confi= r- mation along the lines of passwd(1), this must be imple- mented as part of an interactive script that calls pw. If a value of `-' is given as the argument fd, then the password will be set to `*', rendering the account inacc= es- sible via password-based login. --- /k >=20 > I put print statements into the program, created two users, and check > vipw. >=20 > These are the outputs: >=20 > entries in pwd.db: >=20 > try-1:wUe7aHIXK/8O.:1260:1337::0:0:LIStry-1:/usr/try-1:/bin/csh > try-2:tgx8fwK0d6cQM:1261:1338::0:0:LIStry-2:/usr/try-2:/bin/csh >=20 > Program output: >=20 > Enter password file name: pw7 > Password file read > Enter path to home directories: /usr > Enter class name: try > Enter first number wanted: 1 > Enter number of users wanted: 2 > try-1 chock1 >=20 > wUlVdJxRtry-1 /usr/try-1 wUe7aHIXK/8O. > chpass: updating the database... > chpass: done > try-2 chock1 >=20 > tgtM0gIZtry-2 /usr/try-2 tgx8fwK0d6cQM > chpass: updating the database... > chpass: done >=20 > Notice that the encrypted password from the program appears to be the same > as reported in vipw. But the user cannot login with the password. >=20 > David > --------------------------------------------------------------------- > David R. Miner miner@lis.fsu.edu > Systems Integrator voice: 850-644-8107 > School of Information Studies fax: 850-644-6253 > Florida State University > Tallahassee, FL 32306-2100 >=20 >=20 --=20 > Vegetarians for oral sex -- "The only meat that's fit to eat" KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 --rNtUoUA3Tn0/N1iC Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7H8y5M0BPTilkv0YRAnziAKCMVyU2hHSwcGUK8OUEhYxoT0oZxgCeOmz/ dtQVmSLRAkcCw2rugGtKM/0= =jCfg -----END PGP SIGNATURE----- --rNtUoUA3Tn0/N1iC-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010607204929.U59617>