Site Navigation

Date:      Thu, 7 Jun 2001 20:49:29 +0200
From:      "Karsten W. Rohrbach" <karsten@rohrbach.de>
To:        David Miner <david@slis-two.lis.fsu.edu>
Cc:        edwin chan <huacheng@public.guangzhou.gd.cn>, Olivier Nicole <Olivier.Nicole@ait.ac.th>, freebsd-security@FreeBSD.ORG
Subject:   Re: Encrypted passwords
Message-ID:  <20010607204929.U59617@mail.webmonster.de>
In-Reply-To: <Pine.BSF.4.30_heb2.09.0106071439270.64212-100000@slis-two.lis.fsu.edu>; from david@slis-two.lis.fsu.edu on Thu, Jun 07, 2001 at 02:41:57PM -0400
References:  <20010607202014.S59617@mail.webmonster.de> <Pine.BSF.4.30_heb2.09.0106071439270.64212-100000@slis-two.lis.fsu.edu>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

--rNtUoUA3Tn0/N1iC
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

David Miner(david@slis-two.lis.fsu.edu)@2001.06.07 14:41:57 +0000:
> On Thu, 7 Jun 2001, Karsten W. Rohrbach wrote:
>=20
> > a simple script using pwgen(1) from the ports collection to generate the
> > cleartext password, using pw(8)'s instrumentation for passing a password
> > to it via filehandle would simplify things a bit, i think.
> > /k
> >
> It's not the generation of the passwords that is the problem.  It's the
> encryption.

why bother encrypting the password if you already have instrumentation
in the base system for that?
you could create the account and use system() with pw -u user -h
whatever piping a cleartext password into it, having the system care for
the correct encryption (be it MD5 or 3DES or blowfish or whatever).
i did exactly this on a mass-hosting system until we switched it to a
different, ldap based, login system with direct application support
(e.g. no real accounts, everything is one uid, validation is done in the
ftp servers etc).

from pw(1):
---
     -h fd         This option provides a special interface by which intera=
c-
                   tive scripts can set an account password using pw.  Beca=
use
                   the command line and environment are fundamentally insec=
ure
                   mechanisms by which programs can accept information, pw
                   will only allow setting of account and group passwords v=
ia
                   a file descriptor (usually a pipe between an interactive
                   script and the program).  sh, bash, ksh and perl all pos-
                   sess mechanisms by which this can be done.  Alternativel=
y,
                   pw will prompt for the user's password if -h 0 is given,
                   nominating stdin as the file descriptor on which to read
                   the password.  Note that this password will be read only
                   once and is intended for use by a script rather than for
                   interactive use.  If you wish to have new password confi=
r-
                   mation along the lines of passwd(1), this must be imple-
                   mented as part of an interactive script that calls pw.

                   If a value of `-' is given as the argument fd, then the
                   password will be set to `*', rendering the account inacc=
es-
                   sible via password-based login.
---

/k

>=20
> I put print statements into the program, created two users, and check
> vipw.
>=20
> These are the outputs:
>=20
> entries in pwd.db:
>=20
> try-1:wUe7aHIXK/8O.:1260:1337::0:0:LIStry-1:/usr/try-1:/bin/csh
> try-2:tgx8fwK0d6cQM:1261:1338::0:0:LIStry-2:/usr/try-2:/bin/csh
>=20
> Program output:
>=20
> Enter password file name:  pw7
> Password file read
> Enter path to home directories: /usr
> Enter class name: try
> Enter first number wanted: 1
> Enter number of users wanted: 2
> try-1 chock1
>=20
> wUlVdJxRtry-1 /usr/try-1 wUe7aHIXK/8O.
> chpass: updating the database...
> chpass: done
> try-2 chock1
>=20
> tgtM0gIZtry-2 /usr/try-2 tgx8fwK0d6cQM
> chpass: updating the database...
> chpass: done
>=20
> Notice that the encrypted password from the program appears to be the same
> as reported in vipw.  But the user cannot login with the password.
>=20
> David
> ---------------------------------------------------------------------
> David R. Miner                                   miner@lis.fsu.edu
> Systems Integrator                               voice: 850-644-8107
> School of Information Studies                    fax:   850-644-6253
> Florida State University
> Tallahassee, FL  32306-2100
>=20
>=20

--=20
> Vegetarians for oral sex -- "The only meat that's fit to eat"
KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie
http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n=
et/
karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de
GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE  DF22 3340 4F4E 2964 B=
F46

--rNtUoUA3Tn0/N1iC
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE7H8y5M0BPTilkv0YRAnziAKCMVyU2hHSwcGUK8OUEhYxoT0oZxgCeOmz/
dtQVmSLRAkcCw2rugGtKM/0=
=jCfg
-----END PGP SIGNATURE-----

--rNtUoUA3Tn0/N1iC--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010607204929.U59617>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact