[cc'd to -devel because i see a problem. read on below...]
also sprach Jeronimo Pellegrini <pellegrini@mpcnet.com.br> [2002.01.16.1709 +0100]:
> > i installed john because i want to enforce strong passwords. i think
> > that's a legit thing to do. however, i don't think john ever did
> > anything. i get these messages *all the time* from all systems i have
> > john on via cron.
>
> Hmm... Maybe the message shouldn't be sent when no passwords were
> broken.
it's also an error message... i think.
> > even though there are only 14 accounts on this particular one, i doubt
> > that john checks all passwords with 0 guesses and in 1.59 seconds!
>
> The test done in the cronjob is against a wordlist and information
> gathered from passwd (IIRC). Maybe you could try using a better wordlist...
> (This is particularly important for people outside English-speaking
> countries! ;-)
>
> John may also be used in "incremental mode", but that means it would try
> to break passwords forever (because it never stops). This is not the
> default for the cronjob.
yes, i know that. thanks for being thorough though!
> > this is a vanilla install with the only modification being the line
> > passfile=/root/.john-passfile
> >
> > in /etc/john-mail.conf, as instructed in the preceding comment.
> >
> > what am i doing wrong? or is john just broken?
>
> The first time I used it, 2 passwords were broken (out of 5!) -- one was
> identical to the username, and the other was an English word followed by
> numbers. Maybe your passwords are just good after all? Try setting an
> account with an easy password and see if john breaks it. You may try
> different "easy" ones if you want to check how hard john is trying to
> break them!
my problem is that the cronjob apparently runs for 1 second. no wait, i
just did it by hand (just like what cron does), and that's 1 minute, 55
seconds. and it does find the easy passwords!
however, and this leads me to another problem. in its default
configuration, john is configured with a wordlist in john.ini (who the
heck named that .ini), it has shells to ignore configured in
/etc/john-mail.conf, but *never* uses any of that information.
in fact, in it's default config, all it does is check the passwords with
GECOS information. that's definitely necessary, but pretty useless by
itself!!! it should really do wordlist matching *and* brute force
incremental afterwards.
i think this should be a bug, john is *useless* as it is, and one
wouldn't be expected to modify the package's cron.daily entry, right? at
least this is how i see Debian - there should be a proper conf-file for
that. however, i'd rather not deal with the maintainer again. the last
time was a very negative experience.
your thoughts?
--
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
man muss noch chaos in sich haben
um einen tanzenden stern zu gebaehren.
-- nietzsche
Attachment:
pgpWKx8r8TviD.pgp
Description: PGP signature