Date: Wed, 11 Jul 2001 10:24:08 +1000 (EST) From: Gregory Bond <gnb@itga.com.au> To: FreeBSD-gnats-submit@freebsd.org Subject: bin/28885: [patch] enhance makekey to check/generate MD5 passwords Message-ID: <200107110024.f6B0O8P03091@hellcat.itga.com.au>
next in thread | raw e-mail | index | archive | help
>Number: 28885
>Category: bin
>Synopsis: [patch] enhance makekey to check/generate MD5 passwords
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Tue Jul 10 17:30:02 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator: Gregory Bond
>Release: FreeBSD 4.3-STABLE i386
>Organization:
ITG Australia Limited
>Environment:
System: FreeBSD hellcat.itga.com.au 4.3-STABLE FreeBSD 4.3-STABLE #21: Mon Jun 18 13:41:36 EST 2001 toor@hellcat.itga.com.au:/usr/obj/usr/src/sys/Hellcat i386
>Description:
Makekey can be used from other programs to encrypt passwords. But it is
very awkward to use from a script or the command line, and only produces
DES encryptions.
These patches extend makekey to handle MD5 passwords and make it much more
convenient to use from a script or the command line, for example when
populating passwd-like files for WEB/IRC/whatever servers. It is now also
able to check passwords.
>How-To-Repeat:
Examine makekey manual page. Attempt to use it from a shell script!
>Fix:
Index: makekey/makekey.8
===================================================================
RCS file: /usr/ncvs/src/libexec/makekey/makekey.8,v
retrieving revision 1.9.2.1
diff -u -r1.9.2.1 makekey.8
--- makekey/makekey.8 2000/12/08 13:52:29 1.9.2.1
+++ makekey/makekey.8 2001/07/11 00:09:05
@@ -37,24 +37,97 @@
.Os
.Sh NAME
.Nm makekey
-.Nd make encrypted keys or passwords
+.Nd make and check encrypted keys or passwords
.Sh SYNOPSIS
.Nm
+.Op Fl m | Fl d | Fl u
+.Op Fl p Ar password
+.Op Fl s Ar salt
+.Op Fl n
.Sh DESCRIPTION
-.Nm Makekey
-encrypts a key and salt which it reads from the standard input
-and writes the result to the standard output.
-The key is expected to be
-eight bytes; the salt is expected to be two bytes.
+When called with no arguments,
+.Nm
+runs in compatibility mode. It reads exactly 8 bytes of key and 2
+bytes of salt from standard input, and produces exactly 13 bytes of
+DES encrypted password on standard out (with no trailing newline).
+.Pp
+When called with arguments,
+.Nm
+encrypts a password and prints it on standard
+output, followed by a newline.
+.Pp
See
.Xr crypt 3
for more information on what characters the key and salt can contain
and how the encrypted value is calculated.
+.Sh OPTIONS
+.Bl -tag -width indent
+.It Fl m
+Encrypt the password using the MD5 password algorithm.
+.Pp
+.It Fl d
+Encrypt the password using the DES password algorithm (if available).
+.Pp
+.It Fl u
+Encrypt the password using the default algorithm as specified by the
+.Cm crypt_default
+entry in the
+.Pa /etc/auth.conf
+file. This is the default if neither
+.Fl m
+nor
+.Fl d
+are specified.
+.Pp
+.It Fl s Ar salt
+Use the supplied salt rather than a new randomly-generated salt.
+.Pp
+.It Fl n
+Rather than print the encrypted password on standard out, compare it
+to the version passed in via the
+.Fl s Ar salt
+argument, and exit with return status of 0 if they compare equal, else
+1.
+.Pp
+.It Fl p Ar password
+Use
+.Ar password
+as the plaintext password. If
+.Fl p
+is not specified,
+.Nm
+will prompt for a passord using the
+.Xr getpass 3
+function.
+.Sh EXAMPLES
+.Bd -literal -offset indent
+$ makekey -p secret -m
+$1$V6VfDBZZ$GM2ZBo0c5bh1HG0etveAq.
+$ makekey -p secret -d -s 3D
+3DzkIA460ybsA
+$ makekey -p secret -s 3DzkIA460ybsA -n
+$ echo $?
+0
+$ makekey -p wrong -s 3DzkIA460ybsA -n
+$ echo $?
+1
+$ makekey -u
+Enter password: <password>
+l9hDu91z3G1rY
+$
+.Ed
+.Sh FILES
+.Bl -tag -compact
+.It Pa /etc/auth.conf
.Sh SEE ALSO
.Xr login 1 ,
-.Xr crypt 3
+.Xr crypt 3 ,
+.Xr getpass 3 ,
+.Xr auth.conf 5
.Sh HISTORY
A
.Nm
command appeared in
.At v7 .
+The handling of arguments was added in
+.Fx 4.4 .
Index: makekey/makekey.c
===================================================================
RCS file: /usr/ncvs/src/libexec/makekey/makekey.c,v
retrieving revision 1.8
diff -u -r1.8 makekey.c
--- makekey/makekey.c 1999/08/28 00:09:39 1.8
+++ makekey/makekey.c 2001/07/10 23:31:33
@@ -55,9 +55,111 @@
#include <unistd.h>
static void get __P((char *, int));
+static void olddes __P((void));
+static void usage __P((void));
+static char const saltchars[] = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ.";
+
int
-main()
+main(argc, argv)
+ int argc;
+ char *argv[];
+{
+ int c;
+ int opt_d = 0;
+ int opt_m = 0;
+ int opt_n = 0;
+ int opt_u = 0;
+ char *sp = 0;
+ char *pass = 0;
+ char salt[256];
+
+ if (argc == 1)
+ olddes();
+
+ while ((c = getopt(argc, argv, "dmnp:s:u")) != -1) {
+ switch (c) {
+ case 'd':
+ opt_d = 1;
+ break;
+ case 'm':
+ opt_m = 1;
+ break;
+ case 'n':
+ opt_n = 1;
+ break;
+ case 'p':
+ pass = optarg;
+ break;
+ case 's':
+ sp = optarg;
+ break;
+ case 'u':
+ opt_u = 1;
+ break;
+ case '?':
+ default:
+ warn("Unrecognised option %c\n", c);
+ usage();
+ }
+ }
+ if (optind != argc)
+ usage();
+ if (opt_m + opt_d + opt_u > 1)
+ usage();
+
+ if (sp) {
+ char *p, *q;
+
+ for (p = sp, q = salt; *p; p++, q++) {
+ if (*p != '$' && strchr(saltchars, *p) == NULL)
+ errx(2, "Illegal character in salt");
+ if (q >= salt + sizeof(salt))
+ errx(2, "Salt too long");
+ *q = *p;
+ }
+ *q = 0;
+ } else {
+ int i;
+
+ srandomdev();
+
+ for (i = 0; i < 8; i++)
+ salt[i] = saltchars[random() % 64];
+ salt[8] = 0;
+ }
+
+ if (pass == 0)
+ pass = getpass("Enter password:");
+
+ if (opt_d || opt_m)
+ if (!crypt_set_format(opt_m ? "md5" : "des"))
+ warn("setting crypt(3) format");
+
+ if (opt_n) {
+ if (!sp)
+ errx(2, "No salt provided with -n");
+ exit(strcmp(salt, crypt(pass, salt)) != 0);
+ } else {
+ printf("%s\n", crypt(pass, salt));
+ exit(0);
+ }
+}
+
+static void
+usage()
+{
+ fprintf(stderr, "usage: makekey [-m|-d|-u] [-s salt] [-p passwd] [-n]\n");
+ exit(1);
+}
+
+/*
+ * Old behaviour for DES passwords
+ * read exactly 8 bytes of passwd and 2 bytes of salt and print the crypt
+ * output
+ */
+static void
+olddes()
{
int len;
char *r, key[9], salt[3];
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200107110024.f6B0O8P03091>