From owner-freebsd-security Thu Jun 7 13: 2:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 52BD837B405 for ; Thu, 7 Jun 2001 13:02:06 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 71965 invoked by uid 1000); 7 Jun 2001 20:02:27 -0000 Date: Thu, 7 Jun 2001 22:02:27 +0200 From: "Karsten W. Rohrbach" To: Ralph Huntington Cc: David Miner , edwin chan , Olivier Nicole , freebsd-security@FreeBSD.ORG Subject: Re: Encrypted passwords Message-ID: <20010607220227.W59617@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Ralph Huntington , David Miner , edwin chan , Olivier Nicole , freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="oNLI4EWr1RPQuPCf" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rjh@mohawk.net on Thu, Jun 07, 2001 at 03:15:38PM -0400 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --oNLI4EWr1RPQuPCf Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable correct me if i am just stupid, but i don't get the point echo -n passW0Rd | pw -u testuser -h 1 sets the password of "testuser" to "passW0Rd", soring it in the auth system you prefer in encrypted form. am i missing something? /k Ralph Huntington(rjh@mohawk.net)@2001.06.07 15:15:38 +0000: > I use "expect" and a script-generated script for encrypting the passwd. > Here's the shell script my account-maker script generates and then runs to > set the password. This happens after the account-maker script uses "pw" to > make the actual user account (which puts a "*" in the passwd field).=20 >=20 > #!/usr/local/bin/expect > set argv username > spawn -noecho passwd [lindex $argv 0] > expect "Changing local password for username." > send "" > expect "word:" > send "PassWord\r" > expect "word:" > send "PassWord\r" > expect eof >=20 > Obviously, have your script replace "username" with the actual username > and "PassWord" with the actual plaintext password. For security. have your > script unlink the expect script after it has run. >=20 > This just uses the "passwd" command non-interactively thanks to the expect > utility. It may not be terribly elegant, but I use this every day and it > works fine. I hope it's useful for you!=20 >=20 > Ralph >=20 > On Thu, 7 Jun 2001, David Miner wrote: >=20 > > On Thu, 7 Jun 2001, Karsten W. Rohrbach wrote: > >=20 > > > a simple script using pwgen(1) from the ports collection to generate = the > > > cleartext password, using pw(8)'s instrumentation for passing a passw= ord > > > to it via filehandle would simplify things a bit, i think. > > > /k > > > > > It's not the generation of the passwords that is the problem. It's the > > encryption. > >=20 > > I put print statements into the program, created two users, and check > > vipw. > >=20 > > These are the outputs: > >=20 > > entries in pwd.db: > >=20 > > try-1:wUe7aHIXK/8O.:1260:1337::0:0:LIStry-1:/usr/try-1:/bin/csh > > try-2:tgx8fwK0d6cQM:1261:1338::0:0:LIStry-2:/usr/try-2:/bin/csh > >=20 > > Program output: > >=20 > > Enter password file name: pw7 > > Password file read > > Enter path to home directories: /usr > > Enter class name: try > > Enter first number wanted: 1 > > Enter number of users wanted: 2 > > try-1 chock1 > >=20 > > wUlVdJxRtry-1 /usr/try-1 wUe7aHIXK/8O. > > chpass: updating the database... > > chpass: done > > try-2 chock1 > >=20 > > tgtM0gIZtry-2 /usr/try-2 tgx8fwK0d6cQM > > chpass: updating the database... > > chpass: done > >=20 > > Notice that the encrypted password from the program appears to be the s= ame > > as reported in vipw. But the user cannot login with the password. > >=20 > > David > > --------------------------------------------------------------------- > > David R. Miner miner@lis.fsu.edu > > Systems Integrator voice: 850-644-8107 > > School of Information Studies fax: 850-644-6253 > > Florida State University > > Tallahassee, FL 32306-2100 > >=20 > >=20 > >=20 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > >=20 >=20 >=20 --=20 > "Niklaus Wirth has lamented that, whereas Europeans pronounce his name > correctly (Ni-klows Virt), Americans invariably mangle it into > (Nick-les Worth). Which is to say that Europeans call him by name, but > Americans call him by value." KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 --oNLI4EWr1RPQuPCf Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7H93SM0BPTilkv0YRAhq8AKCRF35gi1Sh6NP8aMXRaiv3hiQw3wCcCT7X nHjbs0rpVSkWsLRCie7uxcg= =JAF3 -----END PGP SIGNATURE----- --oNLI4EWr1RPQuPCf-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message