[wplug-bsd] Password oddity
bpoyner at ccac.edu
Wed Dec 3 13:38:38 EST 2003
That's basically correct. The old password encryption format for
FreeBSD, and unix in general, was DES. DES is a one way hash that is
only significant to 8 characters. Anything you type after that is
basically ignored by crypt(). The new encryption for FreeBSD and Linux
is MD5 crypt and is significant to 2^64 bits. You can test this by
using a quick perl command.
$ perl -e 'print crypt("This is a test", "AE") . "\n";'
$ perl -e 'print crypt("This is a longer test", "AE") . "\n";'
$ perl -e 'print crypt("This is a test", "\$1\$CrYpTkEy\$") . "\n";'
$ perl -e 'print crypt("This is a much longer test of MD5 crypt",
"\$1\$CrYpTkEy\$") . "\n";'
The first two using the same salt on DES result in the same hash, where
the MD5 hashes are different when using the same salt. The salt in this
case being AE for DES and CrYpTkEy for MD5. You can set the default
encryption to MD5 in /etc/login.conf. Some links on the subject:
Network Engineer II
CCAC - College Office
From: Bill Moran [mailto:wmoran at potentialtech.com]
Sent: Wednesday, December 03, 2003 1:04 PM
To: Benjamin Slavin
Cc: wplug-bsd at wplug.org
Subject: Re: [wplug-bsd] Password oddity
Benjamin Slavin wrote:
> Sorry if I was ambiguous as to what is happening.
> It's not really a problem, but it's a "very strange thing." I can use
> system without any problems, and can login as any user and su to root
> (on the appropriate accounts).
> Say my password is "12345678". When I'm at a login prompt on the
> or via ssh, I can type in 12345678[insert anything here] and still
> (eg "12345678935406876846" will be accepted). This can be reproduced
> any non-root user (using the appropriate password). Root for some
> behaves properly (that is, if root's password is 87654321, and
> is entered, login will not happen).
This is going to be an incomplete answer, since I don't know the whole
answer. Hopefully it will provide enough information that you can find
the rest of what you need to know.
FreeBSD is capable of supporting multiple methods of encrypting
in the /etc/master.passwd file. It can actually support multiple
in use simultaneously. The reason for this is to support legacy systems
while also supporting newer (better) encryption.
If you look in the /etc/master.passwd file, the first few characters of
the encrypted password indicated what sort of encryption is being used.
Here's where I don't know details: I can't tell you what character
combinations mean what encryption.
However, I seem to remember some discussions of this problem when
older machines and changing the default encryption scheme. I also seem
remember some discussions of appending extra characters to passwords
you to log on still.
Here's what I suspect (but I could be off-base here):
You created the root account and it was encrypted with a good encryption
scheme. Somewhere along the way, your default encryption scheme was
changed and subsequent users were created with inferior encryption.
These account are only able to check that the first part of the password
works, but (somehow) the encryption ignors extra characters.
If I'm right, you should be able to fix your problem by changing your
default encryption to the better technique, and recreating the
Take this with a grain of salt, however, since I'm pulling from memory,
and that's seldom very reliable. I also don't remember how you change
your default encryption scheme (sorry).
Do some google searches, as I'm sure this has come up and been discussed
Hope this is some help.
wplug-bsd mailing list
wplug-bsd at wplug.org
More information about the wplug-bsd