[tac_plus] Patch for md5 salt in tac_pwd

Brandon Ewing nicotine at warningg.com
Wed May 4 18:28:21 UTC 2011


On Wed, May 04, 2011 at 10:38:44AM -0600, Daniel Schmidt wrote:
> Good idea, tac_pwd has needed an update.  Last I asked, I believe Heasley
> had a good point about compatibility, but I can't remember what it was.
> 
> I wrote a simple python cgi script that outputs long hashes - not sure if
> anybody might find that useful.  Useful only for the truly paranoid who
> think md5 is not strong enough.  Also useful if your just want to send
> your users a URL instead of having them login to type their password.
> Cent5.
> 
> I was going to mess with the salt length but then I got lazy & 8 seemed
> like a good number.  Was also going to have it edit tac_plus.conf but,
> again, lazy. (and busy)  Plz send feedback if: (knowledge_crypto > mine).
> 
> http://pastie.org/1864642
> 

Does Python's crypt module rely on the underlying system library's crypt?
http://docs.python.org/release/2.5.2/lib/module-crypt.html seems to imply
so.

My "man 3 crypt" doesn't mention salts prefixed with $6$ -- see also
http://www.gnu.org/s/hello/manual/libc/crypt.html -- either a two character
salt is used (DES), or a 3 to 8 character salt, prefixed with $1$ and 
optionally terminated with $ (MD5).  You might be on a system that has 
a more robust crypt() than I that supports other encryption options -- but
both the system running your script, and the system with the TACACS daemon
running on it require compatible crypt() functions.

Additionally, for the strongest salt, you should choose randomly from the
full salt character set -- [./a-zA-Z0-9] -- it appears that you are using an
artificially limited salt set, which could make a collision more likely
(two users with the same password and same salt).  Also, smaller salts mean
smaller rainbow tables could be generated to defeat it, but I'm not an
expert on cryptographic attacks and their feasibility.



-- 
Brandon Ewing                                        (nicotine at warningg.com)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20110504/882d15a8/attachment.bin>


More information about the tac_plus mailing list