[tac_plus] Patch for md5 salt in tac_pwd

Daniel Schmidt daniel.schmidt at wyo.gov
Wed May 4 16:38:44 UTC 2011


Good idea, tac_pwd has needed an update.  Last I asked, I believe Heasley
had a good point about compatibility, but I can't remember what it was.

I wrote a simple python cgi script that outputs long hashes - not sure if
anybody might find that useful.  Useful only for the truly paranoid who
think md5 is not strong enough.  Also useful if your just want to send
your users a URL instead of having them login to type their password.
Cent5.

I was going to mess with the salt length but then I got lazy & 8 seemed
like a good number.  Was also going to have it edit tac_plus.conf but,
again, lazy. (and busy)  Plz send feedback if: (knowledge_crypto > mine).

http://pastie.org/1864642

-----Original Message-----
From: tac_plus-bounces at shrubbery.net
[mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Brandon Ewing
Sent: Tuesday, May 03, 2011 8:24 PM
To: tac_plus at shrubbery.net
Subject: [tac_plus] Patch for md5 salt in tac_pwd

Attached patch adds -m option to use an eight-character salt for glibc2
versions of crypt() for stronger salts and MD5 hashing.

This is supported in the actual config file natively, as the entire
encrypted password is passed without checking to the crypt function in
pwlib.c

I re-used the existing salt selection code, but repeat it longer to
generate
8 random characters for the salt, wrapping it in the MD5 salt
deliminators.

This eliminates the 8 character limit of DES passwords.

Works on CentOS 5 test platform:

# ./tac_pwd -m
Password to be encrypted: testpass
$1$r6IPCMQG$NLWm8WaXsb.9dUL4FNeUR0

-- 
Brandon Ewing
(nicotine at warningg.com)
-------------- next part --------------
--- tac_pwd.c.orig	2009-07-17 12:34:31.000000000 -0500
+++ tac_pwd.c	2011-05-03 21:16:11.000000000 -0500
@@ -63,10 +63,11 @@
     extern int		optind;
     char		*prompt = "Password to be encrypted: ";
     int			opt_e = 0,
+                use_md5 = 0,
 			n;
     struct termios	t;

-    while ((n = getopt(argc, argv, "eh")) != EOF) {
+    while ((n = getopt(argc, argv, "ehm")) != EOF) {
 	switch (n) {
 	case 'e':
 	    opt_e++;
@@ -75,6 +76,9 @@
 	    usage();
 	    exit(0);
 	    break;
+    case 'm':
+        use_md5 = 1;
+        break;
 	default:
 	    usage();
 	    exit(1);
@@ -105,42 +109,67 @@
     }

     if (!salt) {
-	int i, r, r1, r2;
+        if (use_md5) {
+            int i, r, r1, r2, r3, r4, r5, r6, r7, r8;
+            r1 = r2 = r3 = r4 = r5 = r6 = r7 = r8 = 0;
+            srand(time(0));
+            for (i = 0; i <= 7; i++) {
+                r = rand();
+                r = r & 127;
+                if (r < 46)
+                    r += 46;
+                if (r > 57 && r < 65)
+                    r += 7;
+                if (r > 90 && r < 97)
+                    r +=6;
+                if (r > 122)
+                    r -=5;
+                if (i == 0)
+                    r1 = r;
+                if (i == 1)
+                    r2 = r;
+                if (i == 2)
+                    r3 = r;
+                if (i == 3)
+                    r4 = r;
+                if (i == 4)
+                    r5 = r;
+                if (i == 5)
+                    r6 = r;
+                if (i == 6)
+                    r7 = r;
+                if (i == 7)
+                    r8 = r;
+            }
+            sprintf(buf, "$1$%c%c%c%c%c%c%c%c$",
+                r1, r2, r3, r4, r5, r6, r7, r8);
+        } else {
+            int i, r, r1, r2;
+            r1 = r2 = 0;
+            srand(time(0));
+            for (i = 0; i <= 1; i++) {
+                r = rand();
+                r = r & 127;
+                if (r < 46)
+                    r += 46;
+                if (r > 57 && r < 65)
+                    r += 7;
+                if (r > 90 && r < 97)
+                    r += 6;
+                if (r > 122)
+                    r -= 5;
+                if (i == 0)
+                r1 = r;
+                if (i == 1)
+                r2 = r;
+            }
+            sprintf(buf, "%c%c", r1, r2);
+        }

-	r1 = r2 = 0;
+        salt = buf;
+        }

-	srand(time(0));
-
-	for (i = 0; i <= 1; i++) {
-
-	    r = rand();
-
-	    r = r & 127;
-
-	    if (r < 46)
-		r += 46;
-
-	    if (r > 57 && r < 65)
-		r += 7;
-
-	    if (r > 90 && r < 97)
-		r += 6;
-
-	    if (r > 122)
-		r -= 5;
-
-	    if (i == 0)
-		r1 = r;
-
-	    if (i == 1)
-		r2 = r;
-	}
-
-	sprintf(buf, "%c%c", r1, r2);
-	salt = buf;
-    }
-
-    result = crypt(pass, salt);
+        result = crypt(pass, salt);

     write(1, result, strlen(result));
     write(1, "\n", 1);
@@ -153,7 +182,9 @@
 {
     fprintf(stderr, "Usage: tac_pwd [-eh] [<salt>]\n");
     fprintf(stderr, "\t-e\tdo not echo the password\n"
-		    "\t-h\tdisplay this message\n");
+        "\t-m\tUse an md5 salt (requires glibc2 version of"
+        " crypt)\n"
+        "\t-h\tdisplay this message\n");

     return;
 }
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL:
<http://www.shrubbery.net/pipermail/tac_plus/attachments/20110503/7e7fc4f4
/attachment.bin>
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus


More information about the tac_plus mailing list