Linux crypt(3)

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Linux crypt(3)

Adam Wysocki
Hi misc,

I'm migrating one of my servers from Linux to OpenBSD and I need a method
to authenticate users based on passwords treated with Linux crypt()
function. Passwords are encrypted with salted DES, without glibc2
extensions. For example:

$ htpasswd -nbd test test
test:MbfD9Vq5SL5aE

Where "Mb" is a random salt and the rest is encrypted password.

As OpenBSD crypt() function differs from the one in Linux libc and returns
NULL for setting "Mb", before I start porting it from libc, maybe you have
an easier solution? Maybe there is a library I can use (different than
whole bloated Linux libc)?

Kind regards.

--
"qui hic minxerit aut cacaverit, habeat deos superos et inferos iratos"

Reply | Threaded
Open this post in threaded view
|

Re: Linux crypt(3)

Adam Wolk-2
On Sat, 17 Oct 2015 12:31:59 +0200 (CEST)
Adam Wysocki <[hidden email]> wrote:

> Hi misc,
>
> I'm migrating one of my servers from Linux to OpenBSD and I need a
> method to authenticate users based on passwords treated with Linux
> crypt() function. Passwords are encrypted with salted DES, without
> glibc2 extensions. For example:
>
> $ htpasswd -nbd test test
> test:MbfD9Vq5SL5aE
>
> Where "Mb" is a random salt and the rest is encrypted password.
>
> As OpenBSD crypt() function differs from the one in Linux libc and
> returns NULL for setting "Mb", before I start porting it from libc,
> maybe you have an easier solution? Maybe there is a library I can use
> (different than whole bloated Linux libc)?
>
> Kind regards.
>

Don't know if it works out for you but you could generate ssh keys for
existing accounts and allow users to access the new system using that
provided ssh key & set the passwords themselves (or just keep using key
auth and disabling passwords :)).

Reply | Threaded
Open this post in threaded view
|

Re: Linux crypt(3)

Ted Unangst-6
In reply to this post by Adam Wysocki
Adam Wysocki wrote:
> As OpenBSD crypt() function differs from the one in Linux libc and returns
> NULL for setting "Mb", before I start porting it from libc, maybe you have
> an easier solution? Maybe there is a library I can use (different than
> whole bloated Linux libc)?

run john the ripper to crack all their passwords, then create bcrypt hashes
for them? i'm only half kidding. des crypt should have been retired ages ago.

Reply | Threaded
Open this post in threaded view
|

Re: Linux crypt(3)

Stuart Henderson
On 2015-10-17, Ted Unangst <[hidden email]> wrote:
> Adam Wysocki wrote:
>> As OpenBSD crypt() function differs from the one in Linux libc and returns
>> NULL for setting "Mb", before I start porting it from libc, maybe you have
>> an easier solution? Maybe there is a library I can use (different than
>> whole bloated Linux libc)?
>
> run john the ripper to crack all their passwords, then create bcrypt hashes
> for them? i'm only half kidding. des crypt should have been retired ages ago.

They can't be more than 8 chars so even if you have to brute-force them
it shouldn't take that long. Only problem is that you can't be sure you
got the original password, it might be something else that produces the
same crypted value. Still, it's fairly likely that they will be obvious
(at least they have been when I've used this method).

Reply | Threaded
Open this post in threaded view
|

Re: Linux crypt(3)

Theo de Raadt
> On 2015-10-17, Ted Unangst <[hidden email]> wrote:
> > Adam Wysocki wrote:
> >> As OpenBSD crypt() function differs from the one in Linux libc and returns
> >> NULL for setting "Mb", before I start porting it from libc, maybe you have
> >> an easier solution? Maybe there is a library I can use (different than
> >> whole bloated Linux libc)?
> >
> > run john the ripper to crack all their passwords, then create bcrypt hashes
> > for them? i'm only half kidding. des crypt should have been retired ages ago.
>
> They can't be more than 8 chars so even if you have to brute-force them
> it shouldn't take that long. Only problem is that you can't be sure you
> got the original password, it might be something else that produces the
> same crypted value. Still, it's fairly likely that they will be obvious
> (at least they have been when I've used this method).

those old hashes are so wimpy and unsafe, you could go do this job on
just about any cloud infrastructure.  it is not like you are adding much
additional risk.

such unsafe hashes can only be used in strongly isolated networks.

in which case, you could post them to the mailing list, lots of people
here have extra compute cycles.

ok, now the joke has gone too far.

or is the real joke DES in 2015?

Reply | Threaded
Open this post in threaded view
|

Re: Linux crypt(3)

Devin Reade
In reply to this post by Adam Wysocki
> On Oct 17, 2015, at 04:31, Adam Wysocki <[hidden email]> wrote:
>
> Hi misc,
>
> I'm migrating one of my servers from Linux to OpenBSD and I need a method
> to authenticate users based on passwords treated with Linux crypt()
> function. Passwords are encrypted with salted DES, without glibc2
> extensions. For example:
>
> $ htpasswd -nbd test test
> test:MbfD9Vq5SL5aE

As you're looking into solutions, make sure you're looking at the right
problem. Your text sounds like you're migrating system account passwords, but
htpasswd is usually used for web server credentials. I've not seen a Linux
system use traditional crypt in quite a few years; they're usually salted MD5
hashes.

Devin

Reply | Threaded
Open this post in threaded view
|

Re: Linux crypt(3)

Adam Wysocki
Thank you for all the replies!

On Sat, 17 Oct 2015, Devin Reade wrote:

> As you're looking into solutions, make sure you're looking at the right
> problem. Your text sounds like you're migrating system account passwords,

I'm not. These are passwords for the news server. Users are authenticated
using ckpasswd, which uses crypt().

On Sat, 17 Oct 2015, Adam Wolk wrote:

> Don't know if it works out for you but you could generate ssh keys for
> existing accounts and allow users to access the new system using that
> provided ssh key & set the passwords themselves (or just keep using key
> auth and disabling passwords :)).

I don't want to force users to do anything, I want this change to be
transparent to them...

--
"qui hic minxerit aut cacaverit, habeat deos superos et inferos iratos"

Reply | Threaded
Open this post in threaded view
|

Re: Linux crypt(3)

Adam Van Ymeren
Could you modify the existing linux system to also output a suitable
bcrypt hash for their password the next time they log in.

Leave that running for a while, and then migrate?  This way most
active users will have their password migrated for them.  The
remainder can probably afford to reset their password since they're
not using the system very often.

On Mon, Oct 19, 2015 at 7:38 AM, Adam Wysocki <[hidden email]> wrote:

> Thank you for all the replies!
>
> On Sat, 17 Oct 2015, Devin Reade wrote:
>
>> As you're looking into solutions, make sure you're looking at the right
>> problem. Your text sounds like you're migrating system account passwords,
>
> I'm not. These are passwords for the news server. Users are authenticated
> using ckpasswd, which uses crypt().
>
> On Sat, 17 Oct 2015, Adam Wolk wrote:
>
>> Don't know if it works out for you but you could generate ssh keys for
>> existing accounts and allow users to access the new system using that
>> provided ssh key & set the passwords themselves (or just keep using key
>> auth and disabling passwords :)).
>
> I don't want to force users to do anything, I want this change to be
> transparent to them...
>
> --
> "qui hic minxerit aut cacaverit, habeat deos superos et inferos iratos"

Reply | Threaded
Open this post in threaded view
|

Re: Linux crypt(3)

Adam Wysocki
On Mon, 19 Oct 2015, Adam Van Ymeren wrote:

> Could you modify the existing linux system to also output a suitable
> bcrypt hash for their password the next time they log in.

Yes, that's the great idea. It didn't cross my mind before. Thank you!

--
"qui hic minxerit aut cacaverit, habeat deos superos et inferos iratos"