From owner-freebsd-questions Tue Aug 22 23:14: 4 2000 Delivered-To: freebsd-questions@freebsd.org Received: from mail2.aracnet.com (mail2.aracnet.com [216.99.193.35]) by hub.freebsd.org (Postfix) with ESMTP id 368E537B424 for ; Tue, 22 Aug 2000 23:14:01 -0700 (PDT) Received: from aracnet.com (216-99-218-166.dsl.aracnet.com [216.99.218.166]) by mail2.aracnet.com (8.9.3/8.9.3) with ESMTP id XAA15231; Tue, 22 Aug 2000 23:13:45 -0700 Message-ID: <39A36B63.7A5292F9@aracnet.com> Date: Tue, 22 Aug 2000 23:12:51 -0700 From: D M P Organization: dmp@aracnet.com X-Mailer: Mozilla 4.51 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Chris Fedde Cc: freebsd-questions@FreeBSD.ORG Subject: More questions about passwords [Was: Re: Encrypting a password for insertion using chpass(1)?] References: <200008210537.e7L5bNj25784@fedde.littleton.co.us> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Chris Fedde wrote: > > On Sun, 20 Aug 2000 19:54:25 -0700 D M P wrote: > +------------------ > | I need to syncronize a server's user passwords to those in a database. > | The database spits out cleartext passwords. I have to somehow get > | those into the password database on the server. The first way I came > | up with was calling chpass(1) and feeding it the new password, but > | according to the man page, it will only take encrypted passwords, not > | cleartexts. > | > | How do I encrypt a password so I can insert it using chpass? > | > | Is there another way I can do this? > +------------------ > > Sure there is. You can create unix des style encrypted passwords realy > easy. Here is perl that does it: > > perl -le 'print crypt("foo", "foo")' > > Note that "foo" is used for both the password and the salt. This technique > should be at least as secure as keeping the cleartext passwords in a > database server ;-} I was looking at the output crypt() produces, and saw that the first eight characters of the cleartext password are visible between the second and third $'s. From reading the assorted docs about how this works, I'm thinking those eight characters are (forgive the lack of proper terms) the "key" used for the original password encryption, and are kept there so that the same key is used everytime login checks for a password match, right? Assuming that I am right, logic follows that if I generated a eight random characters to use instead, that it would still work, and the cleartext wouldn't be seen in the cypher. My question is, how do I input those characters? Is that the salt I pass to perl's crypt()? Can it be any 64-bit value, or does it have to be comprised of the 64 characters mentioned in crypt(3)? - drano(8) - Clears clogged |'s fast. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message