Date: Wed, 07 Jul 1999 19:41:08 +0800 From: Peter Wemm <peter@netplex.com.au> To: Kris Kennaway <kkennawa@physics.adelaide.edu.au> Cc: security@freebsd.org Subject: Re: Improved libcrypt ready for testing Message-ID: <19990707114108.58E8E78@overcee.netplex.com.au> In-Reply-To: Your message of "Wed, 07 Jul 1999 09:08:32 %2B0930." <Pine.OSF.4.10.9907070905210.30995-100000@bragg>
next in thread | previous in thread | raw e-mail | index | archive | help
Kris Kennaway wrote: > On Wed, 7 Jul 1999, Peter Wemm wrote: > > > Say... you wouldn't like to impliment an NT-style password hash, would you? > > *NOT* the LAN-Manager (LAN-damager?) hash with the 2 chunks of 7 characters > > weak method that gets decoded in what seems like seconds according to > > bugtraq. The NT hash is 128 character etc. It's also unicode and not case > > sensitive, but that shouldn't be a problem to implement. > > This is worth looking at. Do the password hashes have any distinguishing > characteristics other than being 128 characters long? I'm wondering how > they'd be distinguished in the password file, unless we add a $NT$ prefix. > > Kris Looking at /usr/local/private/smbpasswd, samba's NT-style shadow password file: logname:2004:260AAF5FD661391EAAD3B345B51404EE:E9402F112D1BEC4978F943B55C11EB46: Gecos Username:/home/logname:/usr/local/bin/tcsh So, I guess this would do: $NT$260AAF5FD661391EAAD3B345B51404EE$E9402F112D1BEC4978F943B55C11EB46 (This is a real line with the names and hash sufficiently corrupted so nobody gets ideas about trying to crack it. :-) Also, we really do need some way to implement plugins that works on both static and dynamic binaries. I would suggest that for dynamic binaries, libcrypt would be compiled (ie: #ifdef PIC) to dlopen() the .so files based on a config file. For static libcrypt, it would have to fork and pipe the string to a static helper binary that returns the hash from the string. That way /sbin/init will be able to verify any method for root password when in non-secure console mode. I would suggest a /etc/crypt.conf or something that contains the prefix and both a static and dynamic plugin. ie: NT /usr/lib/pwhash_nt.so /sbin/_pwhash_nt 1 /usr/lib/pwhash_md5.so /sbin/_pwhash_md5 2 /usr/lib/pwhash_bfish.so /sbin/_pwhash_bfish default /usr/lib/pwhash_des.so /sbin/_pwhash_des Cheers, -Peter -- Peter Wemm - peter@FreeBSD.org; peter@yahoo-inc.com; peter@netplex.com.au To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990707114108.58E8E78>