Re: crypt() isn't generating a valid md5/shadow password
On Wed, Oct 18, 2000 at 11:33:17PM -0400, Chris Gray wrote:
> On Wed, Oct 18, 2000 at 11:04:32PM -0400, Chris Gray wrote:
> > On Wed, Oct 18, 2000 at 04:48:16PM -0700, Peter Jay Salzman wrote:
> > > sorry, but i'm trying to write some tools for beowulf administration.
> > >
> > > consider the program:
> > > printf("Usage: encrypt salt password\n");
> > > strncpy(password, crypt(argv[1], salt), 49);
> >
> > argv[1] is the salt, not the password. Try fixing this and see what
> > happens.
>
> Replying to myself, the crypt(3) man page also states
>
> The returned value points to the encrypted password, a
> series of 13 printable ASCII characters (the first two
> characters represent the salt itself)
>
> So it makes sense that the salt should start out the password.
Yes, the purpose of the salt is to break dictionaries. (ie, the
knowledge that 'foo' always encrypts to 'xyzzy', to mix magic words).
'foo' can encrypt to '17xyzzy' or '23bar' or lots of other things (an
obscenely large number of other things with MD5: the two-character rule
is for the mutated DES of old crypt()).
Knowledge of the salt doesn't give you anything useful unless you
-happen- to have a dictionary for that salt... not bloody likely with
an 8 character random string. (It shouldn't be '12345678', though: it
should be random, or two users with the same password will encrypt the
same.)
--
CueCat decoder .signature by Larry Wall:
#!/usr/bin/perl -n
printf "Serial: %s Type: %s Code: %s\n", map { tr/a-zA-Z0-9+-/ -_/; $_ = unpack
'u', chr(32 + length()*3/4) . $_; s/\0+$//; $_ ^= "C" x length; } /\.([^.]+)/g;
Reply to: