[tac_plus] Patch for md5 salt in tac_pwd
Brandon Ewing
nicotine at warningg.com
Wed May 4 02:23:33 UTC 2011
Attached patch adds -m option to use an eight-character salt for glibc2
versions of crypt() for stronger salts and MD5 hashing.
This is supported in the actual config file natively, as the entire
encrypted password is passed without checking to the crypt function in
pwlib.c
I re-used the existing salt selection code, but repeat it longer to generate
8 random characters for the salt, wrapping it in the MD5 salt deliminators.
This eliminates the 8 character limit of DES passwords.
Works on CentOS 5 test platform:
# ./tac_pwd -m
Password to be encrypted: testpass
$1$r6IPCMQG$NLWm8WaXsb.9dUL4FNeUR0
--
Brandon Ewing (nicotine at warningg.com)
-------------- next part --------------
--- tac_pwd.c.orig 2009-07-17 12:34:31.000000000 -0500
+++ tac_pwd.c 2011-05-03 21:16:11.000000000 -0500
@@ -63,10 +63,11 @@
extern int optind;
char *prompt = "Password to be encrypted: ";
int opt_e = 0,
+ use_md5 = 0,
n;
struct termios t;
- while ((n = getopt(argc, argv, "eh")) != EOF) {
+ while ((n = getopt(argc, argv, "ehm")) != EOF) {
switch (n) {
case 'e':
opt_e++;
@@ -75,6 +76,9 @@
usage();
exit(0);
break;
+ case 'm':
+ use_md5 = 1;
+ break;
default:
usage();
exit(1);
@@ -105,42 +109,67 @@
}
if (!salt) {
- int i, r, r1, r2;
+ if (use_md5) {
+ int i, r, r1, r2, r3, r4, r5, r6, r7, r8;
+ r1 = r2 = r3 = r4 = r5 = r6 = r7 = r8 = 0;
+ srand(time(0));
+ for (i = 0; i <= 7; i++) {
+ r = rand();
+ r = r & 127;
+ if (r < 46)
+ r += 46;
+ if (r > 57 && r < 65)
+ r += 7;
+ if (r > 90 && r < 97)
+ r +=6;
+ if (r > 122)
+ r -=5;
+ if (i == 0)
+ r1 = r;
+ if (i == 1)
+ r2 = r;
+ if (i == 2)
+ r3 = r;
+ if (i == 3)
+ r4 = r;
+ if (i == 4)
+ r5 = r;
+ if (i == 5)
+ r6 = r;
+ if (i == 6)
+ r7 = r;
+ if (i == 7)
+ r8 = r;
+ }
+ sprintf(buf, "$1$%c%c%c%c%c%c%c%c$",
+ r1, r2, r3, r4, r5, r6, r7, r8);
+ } else {
+ int i, r, r1, r2;
+ r1 = r2 = 0;
+ srand(time(0));
+ for (i = 0; i <= 1; i++) {
+ r = rand();
+ r = r & 127;
+ if (r < 46)
+ r += 46;
+ if (r > 57 && r < 65)
+ r += 7;
+ if (r > 90 && r < 97)
+ r += 6;
+ if (r > 122)
+ r -= 5;
+ if (i == 0)
+ r1 = r;
+ if (i == 1)
+ r2 = r;
+ }
+ sprintf(buf, "%c%c", r1, r2);
+ }
- r1 = r2 = 0;
+ salt = buf;
+ }
- srand(time(0));
-
- for (i = 0; i <= 1; i++) {
-
- r = rand();
-
- r = r & 127;
-
- if (r < 46)
- r += 46;
-
- if (r > 57 && r < 65)
- r += 7;
-
- if (r > 90 && r < 97)
- r += 6;
-
- if (r > 122)
- r -= 5;
-
- if (i == 0)
- r1 = r;
-
- if (i == 1)
- r2 = r;
- }
-
- sprintf(buf, "%c%c", r1, r2);
- salt = buf;
- }
-
- result = crypt(pass, salt);
+ result = crypt(pass, salt);
write(1, result, strlen(result));
write(1, "\n", 1);
@@ -153,7 +182,9 @@
{
fprintf(stderr, "Usage: tac_pwd [-eh] [<salt>]\n");
fprintf(stderr, "\t-e\tdo not echo the password\n"
- "\t-h\tdisplay this message\n");
+ "\t-m\tUse an md5 salt (requires glibc2 version of"
+ " crypt)\n"
+ "\t-h\tdisplay this message\n");
return;
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20110503/7e7fc4f4/attachment.bin>
More information about the tac_plus
mailing list