Re: Linux security
On Tue, 18 Aug 1998, Steve Lamb wrote:
: On Tue, Aug 18, 1998 at 09:43:13PM -0500, Nathan E Norman wrote:
: > However, let's assume someone grabs a copy of your /etc/passwd file, and
: > you aren't using shadow passwords. All is not lost (yet). See, you
: > can't decrypt the information stored on disk - your plaintext password
: > is encrypted using a one-way hash (the crypt function), and every time
: > you are prompted for your password your INPUT is again encrypted, and
: > compared to the already encrypted version stored on disk.
:
: I thought what happened was that the password entered is used to encrypt
: a string of 0's and the encoded (not encrypted) password is also used to
: encrypt the same string of 0's and if they match the password is correct.
No. The first two characters of the "Encrypted password" field are the
"salt"; the plaintext password collected from loogin or wherever is
crypted using that salt, and the result compared to the entire field.
The Perl Camel book has a function which demonstrates a simple
implementation of this system.
--
Nathan Norman
MidcoNet 410 South Phillips Avenue Sioux Falls, SD
mailto:finn@midco.net http://www.midco.net
finger finn@home.midco.net for PGP Key: (0xA33B86E9)
Reply to: