Re: Linux security

To: Steve Lamb <morpheus@calweb.com>
Cc: randyh@getaway.net, debian-user@lists.debian.org
Subject: Re: Linux security
From: Nathan E Norman <finn@midco.net>
Date: Tue, 18 Aug 1998 23:27:40 -0500 (CDT)
Message-id: <[🔎] Pine.LNX.3.96.980818232538.23401A-100000@brahe.midco.net>
In-reply-to: <[🔎] 19980818202558.20355@calweb.com>

On Tue, 18 Aug 1998, Steve Lamb wrote:

 : On Tue, Aug 18, 1998 at 09:43:13PM -0500, Nathan E Norman wrote:
 : > However, let's assume someone grabs a copy of your /etc/passwd file, and
 : > you aren't using shadow passwords.  All is not lost (yet).  See, you
 : > can't decrypt the information stored on disk - your plaintext password
 : > is encrypted using a one-way hash (the crypt function), and every time
 : > you are prompted for your password your INPUT is again encrypted, and
 : > compared to the already encrypted version stored on disk.
 : 
 :     I thought what happened was that the password entered is used to encrypt
 : a string of 0's and the encoded (not encrypted) password is also used to
 : encrypt the same string of 0's and if they match the password is correct.

No.  The first two characters of the "Encrypted password" field are the
"salt"; the plaintext password collected from loogin or wherever is
crypted using that salt, and the result compared to the entire field.

The Perl Camel book has a function which demonstrates a simple
implementation of this system.

--
Nathan Norman
MidcoNet  410 South Phillips Avenue  Sioux Falls, SD
mailto:finn@midco.net           http://www.midco.net
finger finn@home.midco.net for PGP Key: (0xA33B86E9)

Reply to:

References:
- Re: Linux security
  - From: Steve Lamb <morpheus@calweb.com>

Prev by Date: Re: Linux security
Next by Date: Re: Linux security
Previous by thread: Re: Linux security
Next by thread: Re: Linux security
Index(es):
- Date
- Thread