help-gnats
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Trouble using encrypted passwords

From: David S Gathright
Subject: Re: Trouble using encrypted passwords
Date: Mon, 10 Nov 2003 14:56:08 -0700 
Ok, so I'm going to answer my own question here.

Don't ask me why this didn't work earlier, I don't know, but for the
record:

Somehow, the crypt() function generates the same result (encrypted
string) from the same key (raw password) and two different salts. 
Nifty.  

To use DES encryption (instead of MD5 or no encryption), simply generate
passwords using the standard crypt() function.  You can do this in
either C or perl (and I'm sure, in python, if I knew anything about
that).  Here is a command line quickie:

machine% perl -e 'print crypt("password", "salt" ), "\n"'

On my box, this generates the encrypted string: "sa3tHJ3/KuYvI"
Now, testing the black magic that is the crypt function, you should be
able to get the same answer from the crypt function for this key using
this encrypted string as the "salt" value:

machine% perl -e 'print crypt("password", "sa3tHJ3/KuYvI" ), "\n"'

I'm not sure why I was having trouble doing this earlier,
anyway--perhaps we can add this to the perl/python lines in the
documentation showing MD5 password generation?

One could use a more paranoid version that uses a combination of the
process ID and system time to generate the salt value, I suppose:

machine% perl -e 'print crypt("password", time() % 1e6 * $$ ), "\n"'

I'm not sure exactly what this gains, other than perhaps a slightly
"better" encrypted password stored in the user_access file.



On Mon, 2003-11-10 at 14:05, Pankaj K Garg wrote:
> David S Gathright wrote:
> > No, I didn't try that, mostly because I don't have root access on that
> > machine. 
> > 
> > What I guess is most confusing to me is that there are three pieces of
> > information:  the raw password, the salt, and the encrypted password. 
> > Now, in the MD5 scheme, the salt is stored with the encrypted password
> > ($1$salt$enc_password).  However, in the crypt() scheme, there is no
> > specified way to store the key, so, how is that done?
> 
> Its been a while since I did this, but looking at the code, it seems 
> that the salt is '$1$', '$2$', etc. Can you try these with the 
> Python/Perl code and see what happens? The source code in gnatsd.c is 
> using the C library function 'crypt' with these salts.
-- 
David S Gathright <address@hidden>
LASP - University of Colorado
reply via email to
[Prev in Thread] Current Thread [Next in Thread]