[wplug-bsd] Password oddity

Poyner, Brandon bpoyner at ccac.edu
Wed Dec 3 13:38:38 EST 2003 

That's basically correct.  The old password encryption format for
FreeBSD, and unix in general, was DES.  DES is a one way hash that is
only significant to 8 characters.  Anything you type after that is
basically ignored by crypt().  The new encryption for FreeBSD and Linux
is MD5 crypt and is significant to 2^64 bits.  You can test this by
using a quick perl command.

$ perl -e 'print crypt("This is a test", "AE") . "\n";'
AEAlIOdyiQo7k
$ perl -e 'print crypt("This is a longer test", "AE") . "\n";'
AEAlIOdyiQo7k
$ perl -e 'print crypt("This is a test", "\$1\$CrYpTkEy\$") . "\n";'
$1$CrYpTkEy$uNogKULJt.dJHxbSQK1Qu0
$ perl -e 'print crypt("This is a much longer test of MD5 crypt",
"\$1\$CrYpTkEy\$") . "\n";'
$1$CrYpTkEy$qxCHF81XCR77DxqTrz00J1

The first two using the same salt on DES result in the same hash, where
the MD5 hashes are different when using the same salt.  The salt in this
case being AE for DES and CrYpTkEy for MD5.  You can set the default
encryption to MD5 in /etc/login.conf.  Some links on the subject:

http://www.usenix.org/events/usenix99/provos/provos_html/node10.html

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/crypt.html

Brandon Poyner
Network Engineer II
CCAC - College Office
412-237-3086


-----Original Message-----
From: Bill Moran [mailto:wmoran at potentialtech.com] 
Sent: Wednesday, December 03, 2003 1:04 PM
To: Benjamin Slavin
Cc: wplug-bsd at wplug.org
Subject: Re: [wplug-bsd] Password oddity


Benjamin Slavin wrote:
> Sorry if I was ambiguous as to what is happening.
> 
> It's not really a problem, but it's a "very strange thing." I can use
my 
> system without any problems, and can login as any user and su to root 
> (on the appropriate accounts).
> 
> Say my password is "12345678". When I'm at a login prompt on the
console 
> or via ssh, I can type in 12345678[insert anything here] and still
login 
> (eg "12345678935406876846" will be accepted). This can be reproduced
for 
> any non-root user (using the appropriate password). Root for some
reason 
> behaves properly (that is, if root's password is 87654321, and
876543210 
> is entered, login will not happen).

This is going to be an incomplete answer, since I don't know the whole
answer.  Hopefully it will provide enough information that you can find
the rest of what you need to know.

FreeBSD is capable of supporting multiple methods of encrypting
passwords
in the /etc/master.passwd file.  It can actually support multiple
methods
in use simultaneously.  The reason for this is to support legacy systems
while also supporting newer (better) encryption.

If you look in the /etc/master.passwd file, the first few characters of
the encrypted password indicated what sort of encryption is being used.
Here's where I don't know details: I can't tell you what character
combinations mean what encryption.

However, I seem to remember some discussions of this problem when
upgrading
older machines and changing the default encryption scheme.  I also seem
to
remember some discussions of appending extra characters to passwords
allowing
you to log on still.

Here's what I suspect (but I could be off-base here):
You created the root account and it was encrypted with a good encryption
scheme.  Somewhere along the way, your default encryption scheme was
changed and subsequent users were created with inferior encryption.
These account are only able to check that the first part of the password
works, but (somehow) the encryption ignors extra characters.

If I'm right, you should be able to fix your problem by changing your
default encryption to the better technique, and recreating the
passwords.

Take this with a grain of salt, however, since I'm pulling from memory,
and that's seldom very reliable.  I also don't remember how you change
your default encryption scheme (sorry).

Do some google searches, as I'm sure this has come up and been discussed
elsewhere.

Hope this is some help.

-- 
Bill Moran
Potential Technologies
http://www.potentialtech.com

_______________________________________________
wplug-bsd mailing list
wplug-bsd at wplug.org
http://www.wplug.org/mailman/listinfo/wplug-bsd

More information about the wplug-bsd mailing list