Trouble using encrypted passwords

Trouble using encrypted passwords

[David S Gathright]

Hi, all.

I'm using a vanilla GNATS 4.0 installation on a Solaris 5.9 box.  For
some reason, MD5 encryption isn't working for me, so I'm trying standard
UNIX crypt() encryption.  I'm rather perplexed at the statement in
Appendix C of the gnats documentation, which states that "crypt()
passwords can be generated by using standard UNIX passwords tools". 
What tools are these (and do you have any examples of how I can use
them)?

I've tried using the UNIX crypt command and both perl and python's crypt
function (which, of course, generate the same answer for the same
password/salt combo, though the crypt command output is just plain
weird).

i.e.:
python -c 'import crypt; print crypt.crypt("password","salt")'
perl -e 'print crypt("password", "salt"), "\n";'

The output from both of these functions looks fine (to my untrained
eye), but when I put this data into the gnatsd.user_access file, GNATS
won't let me in.

I have verified that plaintext passwords work.

Any help you could offer would be greatly appreciated.

DSG

-- 
David S Gathright <David.Gathright@lasp.colorado.edu>
LASP - University of Colorado


_______________________________________________
Help-gnats mailing list
Help-gnats@gnu.org
http://mail.gnu.org/mailman/listinfo/help-gnats

Re: Trouble using encrypted passwords

[Pankaj K Garg]

David S Gathright wrote:

> Hi, all.
> 
> I'm using a vanilla GNATS 4.0 installation on a Solaris 5.9 box.  For
> some reason, MD5 encryption isn't working for me, so I'm trying standard
> UNIX crypt() encryption.  I'm rather perplexed at the statement in
> Appendix C of the gnats documentation, which states that "crypt()
> passwords can be generated by using standard UNIX passwords tools". 
> What tools are these (and do you have any examples of how I can use
> them)?

Did you try generating the passwords using the 'passwd' command and then 
cuting and pasting from /etc/passwd or /etc/shadow?

-- 
Pankaj K Garg                         garg@zeesource.net
1684 Nightingale Avenue               408-373-4027 (Voice)
Suite 201                             408-733-2737 (Fax)
Sunnyvale, CA 94087

		http://www.zeesource.net



_______________________________________________
Help-gnats mailing list
Help-gnats@gnu.org
http://mail.gnu.org/mailman/listinfo/help-gnats

Re: Trouble using encrypted passwords

[David S Gathright]

No, I didn't try that, mostly because I don't have root access on that
machine. 

What I guess is most confusing to me is that there are three pieces of
information:  the raw password, the salt, and the encrypted password. 
Now, in the MD5 scheme, the salt is stored with the encrypted password
($1$salt$enc_password).  However, in the crypt() scheme, there is no
specified way to store the key, so, how is that done?

Thanks for the try, though.  I can resort to that if needed, but I'd
rather not if there is a simpler way.

DSG

On Mon, 2003-11-10 at 12:38, Pankaj K Garg wrote:
> David S Gathright wrote:
> 
> > Hi, all.
> > 
> > I'm using a vanilla GNATS 4.0 installation on a Solaris 5.9 box.  For
> > some reason, MD5 encryption isn't working for me, so I'm trying standard
> > UNIX crypt() encryption.  I'm rather perplexed at the statement in
> > Appendix C of the gnats documentation, which states that "crypt()
> > passwords can be generated by using standard UNIX passwords tools". 
> > What tools are these (and do you have any examples of how I can use
> > them)?
> 
> Did you try generating the passwords using the 'passwd' command and then 
> cuting and pasting from /etc/passwd or /etc/shadow?
-- 
David S Gathright <David.Gathright@lasp.colorado.edu>
LASP - University of Colorado


_______________________________________________
Help-gnats mailing list
Help-gnats@gnu.org
http://mail.gnu.org/mailman/listinfo/help-gnats

Re: Trouble using encrypted passwords

[Pankaj K Garg]

David S Gathright wrote:
> No, I didn't try that, mostly because I don't have root access on that
> machine. 
> 
> What I guess is most confusing to me is that there are three pieces of
> information:  the raw password, the salt, and the encrypted password. 
> Now, in the MD5 scheme, the salt is stored with the encrypted password
> ($1$salt$enc_password).  However, in the crypt() scheme, there is no
> specified way to store the key, so, how is that done?

Its been a while since I did this, but looking at the code, it seems 
that the salt is '$1$', '$2$', etc. Can you try these with the 
Python/Perl code and see what happens? The source code in gnatsd.c is 
using the C library function 'crypt' with these salts.


-- 
Pankaj K Garg                         garg@zeesource.net
1684 Nightingale Avenue               408-373-4027
Suite 201                             408-733-2737(fax)
Sunnyvale, CA 94087

		http://www.zeesource.net




_______________________________________________
Help-gnats mailing list
Help-gnats@gnu.org
http://mail.gnu.org/mailman/listinfo/help-gnats

Re: Trouble using encrypted passwords

[David S Gathright]

Ok, so I'm going to answer my own question here.

Don't ask me why this didn't work earlier, I don't know, but for the
record:

Somehow, the crypt() function generates the same result (encrypted
string) from the same key (raw password) and two different salts. 
Nifty.  

To use DES encryption (instead of MD5 or no encryption), simply generate
passwords using the standard crypt() function.  You can do this in
either C or perl (and I'm sure, in python, if I knew anything about
that).  Here is a command line quickie:

machine% perl -e 'print crypt("password", "salt" ), "\n"'

On my box, this generates the encrypted string: "sa3tHJ3/KuYvI"
Now, testing the black magic that is the crypt function, you should be
able to get the same answer from the crypt function for this key using
this encrypted string as the "salt" value:

machine% perl -e 'print crypt("password", "sa3tHJ3/KuYvI" ), "\n"'

I'm not sure why I was having trouble doing this earlier,
anyway--perhaps we can add this to the perl/python lines in the
documentation showing MD5 password generation?

One could use a more paranoid version that uses a combination of the
process ID and system time to generate the salt value, I suppose:

machine% perl -e 'print crypt("password", time() % 1e6 * $$ ), "\n"'

I'm not sure exactly what this gains, other than perhaps a slightly
"better" encrypted password stored in the user_access file.



On Mon, 2003-11-10 at 14:05, Pankaj K Garg wrote:
> David S Gathright wrote:
> > No, I didn't try that, mostly because I don't have root access on that
> > machine. 
> > 
> > What I guess is most confusing to me is that there are three pieces of
> > information:  the raw password, the salt, and the encrypted password. 
> > Now, in the MD5 scheme, the salt is stored with the encrypted password
> > ($1$salt$enc_password).  However, in the crypt() scheme, there is no
> > specified way to store the key, so, how is that done?
> 
> Its been a while since I did this, but looking at the code, it seems 
> that the salt is '$1$', '$2$', etc. Can you try these with the 
> Python/Perl code and see what happens? The source code in gnatsd.c is 
> using the C library function 'crypt' with these salts.
-- 
David S Gathright <David.Gathright@lasp.colorado.edu>
LASP - University of Colorado


_______________________________________________
Help-gnats mailing list
Help-gnats@gnu.org
http://mail.gnu.org/mailman/listinfo/help-gnats

Re: Trouble using encrypted passwords

[Hans-Albert Schneider]

Am Montag, 10. November 2003 22:56 schrieb David S Gathright:
[...]
> To use DES encryption (instead of MD5 or no encryption), simply
> generate passwords using the standard crypt() function.  You can do
> this in either C or perl (and I'm sure, in python, if I knew
> anything about that).  Here is a command line quickie:
>
> machine% perl -e 'print crypt("password", "salt" ), "\n"'
>
> On my box, this generates the encrypted string: "sa3tHJ3/KuYvI"
> Now, testing the black magic that is the crypt function, you should
> be able to get the same answer from the crypt function for this key
> using this encrypted string as the "salt" value:
>
> machine% perl -e 'print crypt("password", "sa3tHJ3/KuYvI" ), "\n"'

The salt is just the first two characters of the second argument.  And 
it is stored as the first two characters of the result (which is 
always 13 characters in length, BTW).  So using the encoded password 
as the salt always works.
Actually, these characters are a base-64-representation (but not 
base64 in the MIME sense) of a hash of the password. So the salt is 
really a 12 bit value.

Concerning your "more paranoid version": I do not know what perl does 
if the second argument to the crypt() function is not a string.  It 
may be that it takes the decimal representation of the number. This 
would mean that you only will use 90 possible salts (namely, 
[1-9][0-9]).


Hans-Albert

-- 
Hans-Albert Schneider
Munich, Germany
EMail: Hans-Albert@HA-Schneider.de


_______________________________________________
Help-gnats mailing list
Help-gnats@gnu.org
http://mail.gnu.org/mailman/listinfo/help-gnats