* Trouble using encrypted passwords @ 2003-11-10 18:33 David S Gathright 2003-11-10 18:48 ` Pankaj K Garg 0 siblings, 1 reply; 6+ messages in thread From: David S Gathright @ 2003-11-10 18:33 UTC (permalink / raw) To: help-gnats Hi, all. I'm using a vanilla GNATS 4.0 installation on a Solaris 5.9 box. For some reason, MD5 encryption isn't working for me, so I'm trying standard UNIX crypt() encryption. I'm rather perplexed at the statement in Appendix C of the gnats documentation, which states that "crypt() passwords can be generated by using standard UNIX passwords tools". What tools are these (and do you have any examples of how I can use them)? I've tried using the UNIX crypt command and both perl and python's crypt function (which, of course, generate the same answer for the same password/salt combo, though the crypt command output is just plain weird). i.e.: python -c 'import crypt; print crypt.crypt("password","salt")' perl -e 'print crypt("password", "salt"), "\n";' The output from both of these functions looks fine (to my untrained eye), but when I put this data into the gnatsd.user_access file, GNATS won't let me in. I have verified that plaintext passwords work. Any help you could offer would be greatly appreciated. DSG -- David S Gathright <David.Gathright@lasp.colorado.edu> LASP - University of Colorado _______________________________________________ Help-gnats mailing list Help-gnats@gnu.org http://mail.gnu.org/mailman/listinfo/help-gnats ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Trouble using encrypted passwords 2003-11-10 18:33 Trouble using encrypted passwords David S Gathright @ 2003-11-10 18:48 ` Pankaj K Garg 2003-11-10 19:09 ` David S Gathright 0 siblings, 1 reply; 6+ messages in thread From: Pankaj K Garg @ 2003-11-10 18:48 UTC (permalink / raw) To: David S Gathright; +Cc: help-gnats David S Gathright wrote: > Hi, all. > > I'm using a vanilla GNATS 4.0 installation on a Solaris 5.9 box. For > some reason, MD5 encryption isn't working for me, so I'm trying standard > UNIX crypt() encryption. I'm rather perplexed at the statement in > Appendix C of the gnats documentation, which states that "crypt() > passwords can be generated by using standard UNIX passwords tools". > What tools are these (and do you have any examples of how I can use > them)? Did you try generating the passwords using the 'passwd' command and then cuting and pasting from /etc/passwd or /etc/shadow? -- Pankaj K Garg garg@zeesource.net 1684 Nightingale Avenue 408-373-4027 (Voice) Suite 201 408-733-2737 (Fax) Sunnyvale, CA 94087 http://www.zeesource.net _______________________________________________ Help-gnats mailing list Help-gnats@gnu.org http://mail.gnu.org/mailman/listinfo/help-gnats ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Trouble using encrypted passwords 2003-11-10 18:48 ` Pankaj K Garg @ 2003-11-10 19:09 ` David S Gathright 2003-11-10 19:58 ` Pankaj K Garg 0 siblings, 1 reply; 6+ messages in thread From: David S Gathright @ 2003-11-10 19:09 UTC (permalink / raw) To: gargp; +Cc: help-gnats No, I didn't try that, mostly because I don't have root access on that machine. What I guess is most confusing to me is that there are three pieces of information: the raw password, the salt, and the encrypted password. Now, in the MD5 scheme, the salt is stored with the encrypted password ($1$salt$enc_password). However, in the crypt() scheme, there is no specified way to store the key, so, how is that done? Thanks for the try, though. I can resort to that if needed, but I'd rather not if there is a simpler way. DSG On Mon, 2003-11-10 at 12:38, Pankaj K Garg wrote: > David S Gathright wrote: > > > Hi, all. > > > > I'm using a vanilla GNATS 4.0 installation on a Solaris 5.9 box. For > > some reason, MD5 encryption isn't working for me, so I'm trying standard > > UNIX crypt() encryption. I'm rather perplexed at the statement in > > Appendix C of the gnats documentation, which states that "crypt() > > passwords can be generated by using standard UNIX passwords tools". > > What tools are these (and do you have any examples of how I can use > > them)? > > Did you try generating the passwords using the 'passwd' command and then > cuting and pasting from /etc/passwd or /etc/shadow? -- David S Gathright <David.Gathright@lasp.colorado.edu> LASP - University of Colorado _______________________________________________ Help-gnats mailing list Help-gnats@gnu.org http://mail.gnu.org/mailman/listinfo/help-gnats ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Trouble using encrypted passwords 2003-11-10 19:09 ` David S Gathright @ 2003-11-10 19:58 ` Pankaj K Garg 2003-11-10 22:20 ` David S Gathright 0 siblings, 1 reply; 6+ messages in thread From: Pankaj K Garg @ 2003-11-10 19:58 UTC (permalink / raw) To: David S Gathright; +Cc: help-gnats David S Gathright wrote: > No, I didn't try that, mostly because I don't have root access on that > machine. > > What I guess is most confusing to me is that there are three pieces of > information: the raw password, the salt, and the encrypted password. > Now, in the MD5 scheme, the salt is stored with the encrypted password > ($1$salt$enc_password). However, in the crypt() scheme, there is no > specified way to store the key, so, how is that done? Its been a while since I did this, but looking at the code, it seems that the salt is '$1$', '$2$', etc. Can you try these with the Python/Perl code and see what happens? The source code in gnatsd.c is using the C library function 'crypt' with these salts. -- Pankaj K Garg garg@zeesource.net 1684 Nightingale Avenue 408-373-4027 Suite 201 408-733-2737(fax) Sunnyvale, CA 94087 http://www.zeesource.net _______________________________________________ Help-gnats mailing list Help-gnats@gnu.org http://mail.gnu.org/mailman/listinfo/help-gnats ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Trouble using encrypted passwords 2003-11-10 19:58 ` Pankaj K Garg @ 2003-11-10 22:20 ` David S Gathright 2003-11-10 23:54 ` Hans-Albert Schneider 0 siblings, 1 reply; 6+ messages in thread From: David S Gathright @ 2003-11-10 22:20 UTC (permalink / raw) To: gargp; +Cc: help-gnats Ok, so I'm going to answer my own question here. Don't ask me why this didn't work earlier, I don't know, but for the record: Somehow, the crypt() function generates the same result (encrypted string) from the same key (raw password) and two different salts. Nifty. To use DES encryption (instead of MD5 or no encryption), simply generate passwords using the standard crypt() function. You can do this in either C or perl (and I'm sure, in python, if I knew anything about that). Here is a command line quickie: machine% perl -e 'print crypt("password", "salt" ), "\n"' On my box, this generates the encrypted string: "sa3tHJ3/KuYvI" Now, testing the black magic that is the crypt function, you should be able to get the same answer from the crypt function for this key using this encrypted string as the "salt" value: machine% perl -e 'print crypt("password", "sa3tHJ3/KuYvI" ), "\n"' I'm not sure why I was having trouble doing this earlier, anyway--perhaps we can add this to the perl/python lines in the documentation showing MD5 password generation? One could use a more paranoid version that uses a combination of the process ID and system time to generate the salt value, I suppose: machine% perl -e 'print crypt("password", time() % 1e6 * $$ ), "\n"' I'm not sure exactly what this gains, other than perhaps a slightly "better" encrypted password stored in the user_access file. On Mon, 2003-11-10 at 14:05, Pankaj K Garg wrote: > David S Gathright wrote: > > No, I didn't try that, mostly because I don't have root access on that > > machine. > > > > What I guess is most confusing to me is that there are three pieces of > > information: the raw password, the salt, and the encrypted password. > > Now, in the MD5 scheme, the salt is stored with the encrypted password > > ($1$salt$enc_password). However, in the crypt() scheme, there is no > > specified way to store the key, so, how is that done? > > Its been a while since I did this, but looking at the code, it seems > that the salt is '$1$', '$2$', etc. Can you try these with the > Python/Perl code and see what happens? The source code in gnatsd.c is > using the C library function 'crypt' with these salts. -- David S Gathright <David.Gathright@lasp.colorado.edu> LASP - University of Colorado _______________________________________________ Help-gnats mailing list Help-gnats@gnu.org http://mail.gnu.org/mailman/listinfo/help-gnats ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Trouble using encrypted passwords 2003-11-10 22:20 ` David S Gathright @ 2003-11-10 23:54 ` Hans-Albert Schneider 0 siblings, 0 replies; 6+ messages in thread From: Hans-Albert Schneider @ 2003-11-10 23:54 UTC (permalink / raw) To: David S Gathright, gargp; +Cc: help-gnats Am Montag, 10. November 2003 22:56 schrieb David S Gathright: [...] > To use DES encryption (instead of MD5 or no encryption), simply > generate passwords using the standard crypt() function. You can do > this in either C or perl (and I'm sure, in python, if I knew > anything about that). Here is a command line quickie: > > machine% perl -e 'print crypt("password", "salt" ), "\n"' > > On my box, this generates the encrypted string: "sa3tHJ3/KuYvI" > Now, testing the black magic that is the crypt function, you should > be able to get the same answer from the crypt function for this key > using this encrypted string as the "salt" value: > > machine% perl -e 'print crypt("password", "sa3tHJ3/KuYvI" ), "\n"' The salt is just the first two characters of the second argument. And it is stored as the first two characters of the result (which is always 13 characters in length, BTW). So using the encoded password as the salt always works. Actually, these characters are a base-64-representation (but not base64 in the MIME sense) of a hash of the password. So the salt is really a 12 bit value. Concerning your "more paranoid version": I do not know what perl does if the second argument to the crypt() function is not a string. It may be that it takes the decimal representation of the number. This would mean that you only will use 90 possible salts (namely, [1-9][0-9]). Hans-Albert -- Hans-Albert Schneider Munich, Germany EMail: Hans-Albert@HA-Schneider.de _______________________________________________ Help-gnats mailing list Help-gnats@gnu.org http://mail.gnu.org/mailman/listinfo/help-gnats ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2003-11-10 23:54 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2003-11-10 18:33 Trouble using encrypted passwords David S Gathright 2003-11-10 18:48 ` Pankaj K Garg 2003-11-10 19:09 ` David S Gathright 2003-11-10 19:58 ` Pankaj K Garg 2003-11-10 22:20 ` David S Gathright 2003-11-10 23:54 ` Hans-Albert Schneider
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).