[tac_plus] tac_plus login and enable password issue
Daniel Schmidt
daniel.schmidt at wyo.gov
Mon Dec 12 21:38:09 UTC 2011
Good point, for instance, the cgi I threw together uses CRYPT_SHA512 which
typically start with $6$. One need only look at it to create an even
shorter python script to do it. (Not that I claim any great understanding
on the subject)
-----Original Message-----
From: tac_plus-bounces at shrubbery.net
[mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon
Sent: Monday, December 12, 2011 2:22 PM
To: tac_plus at shrubbery.net
Subject: Re: [tac_plus] tac_plus login and enable password issue
There is almost no reason left anymore to use DES hashes in tac_plus.conf
- they have become somewhat trivial to crack (tip: hire the cpu grunt to
do it from Amazon...)
The sysadmin has to generate the hashes somehow, I usually use openssl:
"openssl passwd -1"
generates MD5 hashes with a random salt
"openssl passwd -1 -salt xxxxxxxx"
does the same with a given salt (xxxxxxxx)
The -table option prints the hash and entered password, useful for finding
stupid users that enter their password at a username prompt filling your
logs with entries like "invalid user password123"
Many folks don't seem to know how tac_plus uses hashes, so a quick summary
is probably in order:
tac_plus uses the crypt() library in the underlying operating system and
asks it to hash a given password against the hash in tac_plus.conf.
This will of course either succeed or fail. As such, you can transparently
put any hash value you like in tac_plus.conf as long as
crypt() supports it and it will JustWork(tm).
On most modern Linuxes these days blowfish, sha-256 and sha-512 are
supported out of the box. One just needs to read man 3 crypt to find the
methods supported and man openssl to find the option switches to generate
those hashes.
On Mon, 12 Dec 2011 08:38:01 -0700
Daniel Schmidt <daniel.schmidt at wyo.gov> wrote:
> Of note, it can be worked around, as I did with a salt in the
> quick/dirty cgi.
>
> This is from the GNU crypt man pages:
>
> GNU EXTENSION
> The glibc2 version of this function has the following additional fea-
> tures. If salt is a character string starting with the three charac-
> ters "$1$" followed by at most eight characters, and optionally termi-
> nated by "$", then instead of using the DES machine, the glibc crypt
> function uses an MD5-based algorithm, and outputs up to 34 bytes,
> namely "$1$$", where "" stands for the up to 8 charac- ters following
> "$1$" in the salt, followed by 22 bytes chosen from the set
> [a-zA-Z0-9./]. The entire key is significant here (instead of only the
> first 8 bytes).
>
> -----Original Message-----
> From: tac_plus-bounces at shrubbery.net
> [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon
> Sent: Friday, December 09, 2011 2:33 PM
> To: tac_plus at shrubbery.net
> Subject: Re: [tac_plus] tac_plus login and enable password issue
>
> On Fri, 9 Dec 2011 16:31:03 +0000
> john heasley <heas at shrubbery.net> wrote:
>
>
> > > This issue already solve with change the enable password with
> > > other password. In my case this happen if i use login password and
> > > enable password with same character from the first and have only 1
> > > different character in the end of password. Maybe des encryption
> > > do not check until the last character.
> >
> > crypt(3) normally only supports a maximum 8 character password.
>
> Of course! That explains everything.
>
> Incidentally, crypt normally accepts up to 10 characters but only uses
> the first 8 for hashing. An password of 11 characters and longer
> causes an error.
>
> That one has caused no end of confusion around here. It's one of those
> bizarre limits that users simply cannot get their wits around.
>
> --
> Alan McKinnnon
> alan.mckinnon at gmail.com
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
> E-Mail to and from me, in connection with the transaction of public
> business,is subject to the Wyoming Public Records Act, and may be
> disclosed to third parties.
>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
--
Alan McKinnnon
alan.mckinnon at gmail.com
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
E-Mail to and from me, in connection with the transaction
of public business,is subject to the Wyoming Public Records
Act, and may be disclosed to third parties.
More information about the tac_plus
mailing list