OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [MORE] Passwords database
From: Alexander Leidinger (AlexanderLeidinger.net)
Date: Sat Feb 05 2000 - 06:36:14 CST

On 4 Feb, Andrew Otwell wrote:
> What if the user changes their password via "passwd "?

It stays at the same encryption. If the password was hashed with MD5 the
new one will also be MD5, if it was DES the new one will also be DES.

> I understood that after you installed DES, then all passwords would be
> DES upon the next user password change. I'd love to be incorrect on this

No, if the passwd in /etc/master.passwd is prefixed with "$1$" the
passwd has to be hashed with MD5. You can't prefix the DES-passwd with
$1$ and wait until the user uses passwd. The user isn't able to login
anymore after the addition of $1$ because the system thinks it's an
MD5-hash. You have to change the corresponding passwd immediatly.

If you add a new user, his passwd uses DES, not MD5. You have to add the
$1$ to the passwd-entry to use a MD5-hash.

> one. Please yank and put some dummy examples - before and after. Please
> DO NOT use root's account and a passwd user as this will not apply to a
> 3000+ user system.

Sorry, but I didn't know of a simple solution for a 3000+ user system,
you have to wait until someone has developed a solution (perhaps in
4.1? There was some discussion about it in -current).

Until then you have to use e.g. vipw and change /etc/master.passwd.

Examples:
---snip---(everything DES)
root:sdfjpgoaer_DES_sdfsdf.:0:0::0:0:Charlie &:/root:/bin/csh
dummyuser:sdfjk45_DES_hiop:234:346::0:0:Dummy:/somewhere/some_sh
---snip---

Now use e.g. vipw to prefix the encrypted passwd with "$1$" (here:
dummyuser) and let root change the passwd for this user (here: "passwd
dummyuser").

It should look like this:
---snip---(MD5 for dummyuser)
root:sdfjpgoaer_DES_sdfsdf.:0:0::0:0:Charlie &:/root:/bin/csh
dummyuser:$1$dfklkj_MD5_sdf5rz:234:346::0:0:Dummy:/somewhere/some_sh
---snip---

If you have changed every passwd and you add a new user (here: newuser)
his passwd will be a DES one.
---snip---(MD5 for root+dummyuser, adding a new user with "adduser")
root:$1$asdtz_MD5_sdft$FSD:0:0::0:0:Charlie &:/root:/bin/csh
dummyuser:$1$dfklkj_MD5_sdf5rz:234:346::0:0:Dummy:/somewhere:/some_sh
newuser:sdfjkl_DES_rtfhSD4:345:243:::0:0:New:/anywhere:/other_sh
---snip---
You have to change to MD5 like above (or you have to remoce the descrypt
libs and correct the symlink, but you aren't able to use DES anymore if
you do it this way).

Bye,
Alexander. 

-- 
                     We put the "k" in "kwality"

http://www.Leidinger.net                  Alexander+Home  Leidinger.net
  Key fingerprint = 7423 F3E6 3A7E B334 A9CC  B10A 1F5F 130A A638 6E7E

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message