|
Home > Archive > Unix administration > September 2004 > Unix Password Encryption Procedures
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Unix Password Encryption Procedures
|
|
| Kushal Agarwal 2004-09-27, 5:55 pm |
| Hello,
I know that most Unix machines either use the DES encryption algorithm
or the MD5 encryption algorithm, I am wondering if there is any
flavour of unix which uses the kerberos (or anyother) methodology?
Additonally, I know that the function crypt() is able to encrypt using
either the DES or the MD5 algorithm, depending on the salt supplied
with the function. I am curious as to given an encrypted string, is
there any "clean" (via a function(s)) way to determine what method was
used to encrypt the original string. I need to know how the original
string was encrypted so that I can use the same procedure to encrypt
the entered string (so that I may compare the stored and entered
strings).
Thanks,
Kushal
| |
| Bill Marcum 2004-09-27, 5:55 pm |
| On 27 Sep 2004 13:39:48 -0700, Kushal Agarwal
<kushal.agarwal@gmail.com> wrote:
> Additonally, I know that the function crypt() is able to encrypt using
> either the DES or the MD5 algorithm, depending on the salt supplied
> with the function. I am curious as to given an encrypted string, is
> there any "clean" (via a function(s)) way to determine what method was
> used to encrypt the original string. I need to know how the original
> string was encrypted so that I can use the same procedure to encrypt
> the entered string (so that I may compare the stored and entered
> strings).
>
Look for the source code to "crack" or "john the ripper".
--
System Events
=-=-=-=-=-=-=
Sep 16 03:31:11 don kernel: lp0 on fire
| |
| Mike Delaney 2004-09-27, 5:55 pm |
| On 27 Sep 2004 13:39:48 -0700, Kushal Agarwal said something similar to:
:
: I know that most Unix machines either use the DES encryption algorithm
: or the MD5 encryption algorithm, I am wondering if there is any
: flavour of unix which uses the kerberos (or anyother) methodology?
Unix _hashes_ passwords, it does not _encrypt_ them. There is no
such thing as the "MD5 encryption algorithm". MD5 is a hash algorithm.
To answer your question, there are (to my knowledge) four password
hashing methods in common use on Unix systems:
* The traditional DES based algorithm.
* An algorithm based on MD5. The use of this algorithm is
generally denoted by prepending the string "$1$" to the
salt+hash in /etc/passwd | /etc/shadow. The MD5 algorithm
is found on most of the *BSD flavors, Linux, and Solaris 9
(among others).
* An algorithm based on Blowfish. This one is denoted by
the prepended string "$2a$" in the hash. OpenBSD, some
Linux distributions (but not all), and Solaris 9 are among
the systems supporting this algorithm.
* A second MD5 based algorithm, sometimes known as Sun-MD5.
This is AFAIK only found in Solaris 9.
As to Kerberos, many Linux distributions come with Kerberos implementations,
as do some of the *BSDs. Solaris has been slowly adding more and more
bits of SEAM (Sun's Kerberos implementation) into the OS.
It is however, not the default on any of these platforms. Someone
has to setup a Kerberos realm and configure the systems to authenticate
against it.
Some administrators have also been known to setup systems to authenticate
via binding against an LDAP directory using PAM or BSD AUTH.
There's also RADIUS, OTP, TACACS, SRP, etc. and so forth.
: Additonally, I know that the function crypt() is able to encrypt using
: either the DES or the MD5 algorithm, depending on the salt supplied
: with the function. I am curious as to given an encrypted string, is
: there any "clean" (via a function(s)) way to determine what method was
: used to encrypt the original string. I need to know how the original
: string was encrypted so that I can use the same procedure to encrypt
: the entered string (so that I may compare the stored and entered
: strings).
If you're just trying to validate passwords against a database of
crypt(3) hashes, simply pass the stored hash you're comparing to
crypt(3) as the salt field and let it figure it out.
If you're trying to write something to authenticate users against whatever
backend mechanism your OS is configured to use, be it traditional passwords,
Kerberos, LDAP, or what have you, then you're going to have to determine what
mechanism your OS uses to verify passwords and use that.
Most Linux and System Vish systems use PAM (Pluggable Authentication
Modules) to alow the administrator "plug in" arbitrary authentication
methods. On those you'd call PAM and let it worry about the
authentication (obviously I'm grossly oversimplifying here).
The *BSD systems tend to use BSD AUTH for the same purpose (though
some support PAM as well).
| |
| Kushal Agarwal 2004-09-28, 5:56 pm |
| Thanks Mike,
So basically you are saying that crypt should be able to figure out
what algorithm was used, if I just hand it the entire hashed string.
> If you're trying to write something to authenticate users against whatever
> backend mechanism your OS is configured to use, be it traditional passwords,
> Kerberos, LDAP, or what have you, then you're going to have to determine what
> mechanism your OS uses to verify passwords and use that.
>
> Most Linux and System Vish systems use PAM (Pluggable Authentication
> Modules) to alow the administrator "plug in" arbitrary authentication
> methods. On those you'd call PAM and let it worry about the
> authentication (obviously I'm grossly oversimplifying here).
> The *BSD systems tend to use BSD AUTH for the same purpose (though
> some support PAM as well).
In terms of calling PAM, would I have to create my own module to
authenticate users, or will I be able to use a predefined module?
Thanks,
Kushal
| |
| Casper H.S. Dik 2004-09-28, 5:56 pm |
| kushal.agarwal@gmail.com (Kushal Agarwal) writes:
>So basically you are saying that crypt should be able to figure out
>what algorithm was used, if I just hand it the entire hashed string.
Correct.
>In terms of calling PAM, would I have to create my own module to
>authenticate users, or will I be able to use a predefined module?
If you want different password encryption then you need
to change crypt(). This is why Solaris has a pluggable
crypt implemenation; you can define your own algorithms.
Casper
| |
| Kushal Agarwal 2004-09-29, 8:09 pm |
| Casper H.S. Dik <Casper.Dik@Sun.COM> wrote in message news:<4159839e$0$21106$e4fe514c@news.xs4all.nl>...
> kushal.agarwal@gmail.com (Kushal Agarwal) writes:
>
>
> Correct.
>
>
> If you want different password encryption then you need
> to change crypt(). This is why Solaris has a pluggable
> crypt implemenation; you can define your own algorithms.
>
> Casper
Thanks Everyone.
|
|
|
|
|