* Trouble using encrypted passwords
@ 2003-11-10 18:33 David S Gathright
2003-11-10 18:48 ` Pankaj K Garg
0 siblings, 1 reply; 6+ messages in thread
From: David S Gathright @ 2003-11-10 18:33 UTC (permalink / raw)
To: help-gnats
Hi, all.
I'm using a vanilla GNATS 4.0 installation on a Solaris 5.9 box. For
some reason, MD5 encryption isn't working for me, so I'm trying standard
UNIX crypt() encryption. I'm rather perplexed at the statement in
Appendix C of the gnats documentation, which states that "crypt()
passwords can be generated by using standard UNIX passwords tools".
What tools are these (and do you have any examples of how I can use
them)?
I've tried using the UNIX crypt command and both perl and python's crypt
function (which, of course, generate the same answer for the same
password/salt combo, though the crypt command output is just plain
weird).
i.e.:
python -c 'import crypt; print crypt.crypt("password","salt")'
perl -e 'print crypt("password", "salt"), "\n";'
The output from both of these functions looks fine (to my untrained
eye), but when I put this data into the gnatsd.user_access file, GNATS
won't let me in.
I have verified that plaintext passwords work.
Any help you could offer would be greatly appreciated.
DSG
--
David S Gathright <David.Gathright@lasp.colorado.edu>
LASP - University of Colorado
_______________________________________________
Help-gnats mailing list
Help-gnats@gnu.org
http://mail.gnu.org/mailman/listinfo/help-gnats
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Trouble using encrypted passwords
2003-11-10 18:33 Trouble using encrypted passwords David S Gathright
@ 2003-11-10 18:48 ` Pankaj K Garg
2003-11-10 19:09 ` David S Gathright
0 siblings, 1 reply; 6+ messages in thread
From: Pankaj K Garg @ 2003-11-10 18:48 UTC (permalink / raw)
To: David S Gathright; +Cc: help-gnats
David S Gathright wrote:
> Hi, all.
>
> I'm using a vanilla GNATS 4.0 installation on a Solaris 5.9 box. For
> some reason, MD5 encryption isn't working for me, so I'm trying standard
> UNIX crypt() encryption. I'm rather perplexed at the statement in
> Appendix C of the gnats documentation, which states that "crypt()
> passwords can be generated by using standard UNIX passwords tools".
> What tools are these (and do you have any examples of how I can use
> them)?
Did you try generating the passwords using the 'passwd' command and then
cuting and pasting from /etc/passwd or /etc/shadow?
--
Pankaj K Garg garg@zeesource.net
1684 Nightingale Avenue 408-373-4027 (Voice)
Suite 201 408-733-2737 (Fax)
Sunnyvale, CA 94087
http://www.zeesource.net
_______________________________________________
Help-gnats mailing list
Help-gnats@gnu.org
http://mail.gnu.org/mailman/listinfo/help-gnats
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Trouble using encrypted passwords
2003-11-10 18:48 ` Pankaj K Garg
@ 2003-11-10 19:09 ` David S Gathright
2003-11-10 19:58 ` Pankaj K Garg
0 siblings, 1 reply; 6+ messages in thread
From: David S Gathright @ 2003-11-10 19:09 UTC (permalink / raw)
To: gargp; +Cc: help-gnats
No, I didn't try that, mostly because I don't have root access on that
machine.
What I guess is most confusing to me is that there are three pieces of
information: the raw password, the salt, and the encrypted password.
Now, in the MD5 scheme, the salt is stored with the encrypted password
($1$salt$enc_password). However, in the crypt() scheme, there is no
specified way to store the key, so, how is that done?
Thanks for the try, though. I can resort to that if needed, but I'd
rather not if there is a simpler way.
DSG
On Mon, 2003-11-10 at 12:38, Pankaj K Garg wrote:
> David S Gathright wrote:
>
> > Hi, all.
> >
> > I'm using a vanilla GNATS 4.0 installation on a Solaris 5.9 box. For
> > some reason, MD5 encryption isn't working for me, so I'm trying standard
> > UNIX crypt() encryption. I'm rather perplexed at the statement in
> > Appendix C of the gnats documentation, which states that "crypt()
> > passwords can be generated by using standard UNIX passwords tools".
> > What tools are these (and do you have any examples of how I can use
> > them)?
>
> Did you try generating the passwords using the 'passwd' command and then
> cuting and pasting from /etc/passwd or /etc/shadow?
--
David S Gathright <David.Gathright@lasp.colorado.edu>
LASP - University of Colorado
_______________________________________________
Help-gnats mailing list
Help-gnats@gnu.org
http://mail.gnu.org/mailman/listinfo/help-gnats
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Trouble using encrypted passwords
2003-11-10 19:09 ` David S Gathright
@ 2003-11-10 19:58 ` Pankaj K Garg
2003-11-10 22:20 ` David S Gathright
0 siblings, 1 reply; 6+ messages in thread
From: Pankaj K Garg @ 2003-11-10 19:58 UTC (permalink / raw)
To: David S Gathright; +Cc: help-gnats
David S Gathright wrote:
> No, I didn't try that, mostly because I don't have root access on that
> machine.
>
> What I guess is most confusing to me is that there are three pieces of
> information: the raw password, the salt, and the encrypted password.
> Now, in the MD5 scheme, the salt is stored with the encrypted password
> ($1$salt$enc_password). However, in the crypt() scheme, there is no
> specified way to store the key, so, how is that done?
Its been a while since I did this, but looking at the code, it seems
that the salt is '$1$', '$2$', etc. Can you try these with the
Python/Perl code and see what happens? The source code in gnatsd.c is
using the C library function 'crypt' with these salts.
--
Pankaj K Garg garg@zeesource.net
1684 Nightingale Avenue 408-373-4027
Suite 201 408-733-2737(fax)
Sunnyvale, CA 94087
http://www.zeesource.net
_______________________________________________
Help-gnats mailing list
Help-gnats@gnu.org
http://mail.gnu.org/mailman/listinfo/help-gnats
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Trouble using encrypted passwords
2003-11-10 19:58 ` Pankaj K Garg
@ 2003-11-10 22:20 ` David S Gathright
2003-11-10 23:54 ` Hans-Albert Schneider
0 siblings, 1 reply; 6+ messages in thread
From: David S Gathright @ 2003-11-10 22:20 UTC (permalink / raw)
To: gargp; +Cc: help-gnats
Ok, so I'm going to answer my own question here.
Don't ask me why this didn't work earlier, I don't know, but for the
record:
Somehow, the crypt() function generates the same result (encrypted
string) from the same key (raw password) and two different salts.
Nifty.
To use DES encryption (instead of MD5 or no encryption), simply generate
passwords using the standard crypt() function. You can do this in
either C or perl (and I'm sure, in python, if I knew anything about
that). Here is a command line quickie:
machine% perl -e 'print crypt("password", "salt" ), "\n"'
On my box, this generates the encrypted string: "sa3tHJ3/KuYvI"
Now, testing the black magic that is the crypt function, you should be
able to get the same answer from the crypt function for this key using
this encrypted string as the "salt" value:
machine% perl -e 'print crypt("password", "sa3tHJ3/KuYvI" ), "\n"'
I'm not sure why I was having trouble doing this earlier,
anyway--perhaps we can add this to the perl/python lines in the
documentation showing MD5 password generation?
One could use a more paranoid version that uses a combination of the
process ID and system time to generate the salt value, I suppose:
machine% perl -e 'print crypt("password", time() % 1e6 * $$ ), "\n"'
I'm not sure exactly what this gains, other than perhaps a slightly
"better" encrypted password stored in the user_access file.
On Mon, 2003-11-10 at 14:05, Pankaj K Garg wrote:
> David S Gathright wrote:
> > No, I didn't try that, mostly because I don't have root access on that
> > machine.
> >
> > What I guess is most confusing to me is that there are three pieces of
> > information: the raw password, the salt, and the encrypted password.
> > Now, in the MD5 scheme, the salt is stored with the encrypted password
> > ($1$salt$enc_password). However, in the crypt() scheme, there is no
> > specified way to store the key, so, how is that done?
>
> Its been a while since I did this, but looking at the code, it seems
> that the salt is '$1$', '$2$', etc. Can you try these with the
> Python/Perl code and see what happens? The source code in gnatsd.c is
> using the C library function 'crypt' with these salts.
--
David S Gathright <David.Gathright@lasp.colorado.edu>
LASP - University of Colorado
_______________________________________________
Help-gnats mailing list
Help-gnats@gnu.org
http://mail.gnu.org/mailman/listinfo/help-gnats
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Trouble using encrypted passwords
2003-11-10 22:20 ` David S Gathright
@ 2003-11-10 23:54 ` Hans-Albert Schneider
0 siblings, 0 replies; 6+ messages in thread
From: Hans-Albert Schneider @ 2003-11-10 23:54 UTC (permalink / raw)
To: David S Gathright, gargp; +Cc: help-gnats
Am Montag, 10. November 2003 22:56 schrieb David S Gathright:
[...]
> To use DES encryption (instead of MD5 or no encryption), simply
> generate passwords using the standard crypt() function. You can do
> this in either C or perl (and I'm sure, in python, if I knew
> anything about that). Here is a command line quickie:
>
> machine% perl -e 'print crypt("password", "salt" ), "\n"'
>
> On my box, this generates the encrypted string: "sa3tHJ3/KuYvI"
> Now, testing the black magic that is the crypt function, you should
> be able to get the same answer from the crypt function for this key
> using this encrypted string as the "salt" value:
>
> machine% perl -e 'print crypt("password", "sa3tHJ3/KuYvI" ), "\n"'
The salt is just the first two characters of the second argument. And
it is stored as the first two characters of the result (which is
always 13 characters in length, BTW). So using the encoded password
as the salt always works.
Actually, these characters are a base-64-representation (but not
base64 in the MIME sense) of a hash of the password. So the salt is
really a 12 bit value.
Concerning your "more paranoid version": I do not know what perl does
if the second argument to the crypt() function is not a string. It
may be that it takes the decimal representation of the number. This
would mean that you only will use 90 possible salts (namely,
[1-9][0-9]).
Hans-Albert
--
Hans-Albert Schneider
Munich, Germany
EMail: Hans-Albert@HA-Schneider.de
_______________________________________________
Help-gnats mailing list
Help-gnats@gnu.org
http://mail.gnu.org/mailman/listinfo/help-gnats
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2003-11-10 23:54 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-11-10 18:33 Trouble using encrypted passwords David S Gathright
2003-11-10 18:48 ` Pankaj K Garg
2003-11-10 19:09 ` David S Gathright
2003-11-10 19:58 ` Pankaj K Garg
2003-11-10 22:20 ` David S Gathright
2003-11-10 23:54 ` Hans-Albert Schneider
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).