From owner-freebsd-questions Mon Mar 5 16:10: 9 2001 Delivered-To: freebsd-questions@freebsd.org Received: from nameserver.austclear.com.au (nameserver.austclear.com.au [192.83.119.132]) by hub.freebsd.org (Postfix) with ESMTP id 0BE5837B718 for ; Mon, 5 Mar 2001 16:10:05 -0800 (PST) (envelope-from ahl@austclear.com.au) Received: from tungsten.austclear.com.au (tungsten.austclear.com.au [192.168.70.1]) by nameserver.austclear.com.au (8.9.3/8.9.3) with ESMTP id LAA57600; Tue, 6 Mar 2001 11:10:04 +1100 (EST) Received: from tungsten (tungsten [192.168.70.1]) by tungsten.austclear.com.au (8.9.3/8.9.3) with ESMTP id LAA00329; Tue, 6 Mar 2001 11:10:03 +1100 (EST) Message-Id: <200103060010.LAA00329@tungsten.austclear.com.au> X-Mailer: exmh version 2.1.1 10/15/1999 To: Bill Moran Cc: Mikko Tyolajarvi , questions@FreeBSD.ORG Subject: Re: SUN TO BSD In-Reply-To: Message from Bill Moran of "Mon, 05 Mar 2001 18:50:40 CDT." <3AA4264F.7AF4B2A5@iowna.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 06 Mar 2001 11:10:03 +1100 From: Tony Landells Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG The traditional UNIX password encryption takes a timestamp of when the password is set, and uses that as the "salt" (or seed) for the initial encryption. It then adds this salt to the encrypted string so it can be retrieved next time you want to check the password. This means that even if two users pick the same password it should look different because it was done at a different time. By default FreeBSD uses MD5 for password encryption. Since this is a completely different algorithm, the encrypted string bears nothing more than a passing similarity to "traditionally" (DES) encrypted strings. You have the option of getting FreeBSD to use DES encrypted passwords. If you do that, you can just cut and paste the password field from /etc/shadow on Solaris into /etc/master.password on FreeBSD. Most UNIX systems use DES for passwords. I don't know why FreeBSD switched to MD5--possibly a lack of trust in DES, possibly because of stupid export laws. I'm sure someone else on the list will provide a definitive answer. Cheers, Tony Bill Moran wrote: > Mikko Tyolajarvi wrote: > > > > In local.freebsd.questions you write: > > >I believe this has to do with the system default password encryption > > >scheme. If both your Solaris & FreeBSD boxes are using the same > > >encryption scheme you should see the same encryped password. I've seen > > > > Nope. Password encryption schemes adds a "salt" (12 bits for the > > traditional DES version) to try to avoid passwords encrypting to the > > same value -- otherwise dictionary attacks become a lot simpler. > > Straighten me out on this, then. (if you'd be so kind) > Do all systems use different password math? If so, how does FreeBSD > share it's data with Solaris, Linux, et al via NIS? It couldn't be > sending the passwords in cleartext, because they're not decryptable > (right?) That would be insane anyway. > > I thought you had the option of using DES or MD5 for the password > storage? > > Am I a little off in my understanding of this? -- Tony Landells Senior Network Engineer Ph: +61 3 9677 9319 Australian Clearing Services Pty Ltd Fax: +61 3 9677 9355 Level 4, Rialto North Tower 525 Collins Street Melbourne VIC 3000 Australia To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message