Options for dealing with DES crypt password file

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Options for dealing with DES crypt password file

Jeff Zimmerman
I've got an old server (OpenBSD 4.7 old) with a mixed bag of password hashes in master.passwd. A majority of the passwords (hundreds) are old salted DES crypt format.


Am I correct in my research that everything but Blowfish was removed from crypt() around OpenBSD 5.7? Are there any workarounds for me using the old DES password hashes, or do we need to 'passwd <user>' for hundreds of users?
Reply | Threaded
Open this post in threaded view
|

Re: Options for dealing with DES crypt password file

Theo de Raadt-2
> I've got an old server (OpenBSD 4.7 old) with a mixed bag of password hashes
> in master.passwd. A majority of the passwords (hundreds) are old salted
> DES crypt format.

bummer

> Am I correct in my research that everything but Blowfish was removed from
> crypt() around OpenBSD 5.7? Are there any workarounds for me using the old
> DES password hashes, or do we need to 'passwd <user>' for hundreds of users?

There are no workarounds.  The hashes cannot be reversed to make new
passwords, and the legacy methods are removed intentionally because they
are super weak

You been running that on the internet?  the shame!

Reply | Threaded
Open this post in threaded view
|

Re: Options for dealing with DES crypt password file

Jeff Zimmerman
I know, I'm ashamed to say that yes, this machine has been running (behind a restrictive firewall) for all of these years.


I was hoping that there was some hidden switch somewhere that would turn the classic crypt back on. No such luck.


But thank you for the quick response. I've been using OpenBSD for a lot of years and really appreciate your efforts Theo, and the efforts of everyone associated with the project.

________________________________
From: Theo de Raadt <[hidden email]>
Sent: Thursday, January 11, 2018 12:29:59 PM
To: Jeff Zimmerman
Cc: [hidden email]
Subject: Re: Options for dealing with DES crypt password file

> I've got an old server (OpenBSD 4.7 old) with a mixed bag of password hashes
> in master.passwd. A majority of the passwords (hundreds) are old salted
> DES crypt format.

bummer

> Am I correct in my research that everything but Blowfish was removed from
> crypt() around OpenBSD 5.7? Are there any workarounds for me using the old
> DES password hashes, or do we need to 'passwd <user>' for hundreds of users?

There are no workarounds.  The hashes cannot be reversed to make new
passwords, and the legacy methods are removed intentionally because they
are super weak

You been running that on the internet?  the shame!

Reply | Threaded
Open this post in threaded view
|

Re: Options for dealing with DES crypt password file

Theo de Raadt-2
> I was hoping that there was some hidden switch somewhere that would turn
> the classic crypt back on. No such luck.

That'd be like leaving a running chainsaw on the floor at a daycare center.

When something is dangerous, we get rid of it.

Reply | Threaded
Open this post in threaded view
|

Re: Options for dealing with DES crypt password file

Jeff Zimmerman
I completely understand. The running chainsaw analogy is pretty accurate here. OpenBSD is as secure as it is because you all remove as many chainsaws as possible. We needed to update those hashes anyway someday. I just wasn't expecting that day to be today.


Thanks again!

________________________________
From: Theo de Raadt <[hidden email]>
Sent: Thursday, January 11, 2018 12:49:33 PM
To: Jeff Zimmerman
Cc: [hidden email]
Subject: Re: Options for dealing with DES crypt password file

> I was hoping that there was some hidden switch somewhere that would turn
> the classic crypt back on. No such luck.

That'd be like leaving a running chainsaw on the floor at a daycare center.

When something is dangerous, we get rid of it.
Reply | Threaded
Open this post in threaded view
|

Re: Options for dealing with DES crypt password file

Consus-2
In reply to this post by Jeff Zimmerman
On 18:27 Thu 11 Jan, Jeff Zimmerman wrote:
> I've got an old server (OpenBSD 4.7 old) with a mixed bag of password
> hashes in master.passwd. A majority of the passwords (hundreds) are
> old salted DES crypt format.
>
> Am I correct in my research that everything but Blowfish was removed
> from crypt() around OpenBSD 5.7? Are there any workarounds for me
> using the old DES password hashes, or do we need to 'passwd <user>'
> for hundreds of users?

Use LDAP already.

Reply | Threaded
Open this post in threaded view
|

Re: Options for dealing with DES crypt password file

Eric Furman-3
On Thu, Jan 11, 2018, at 3:42 PM, Consus wrote:

> On 18:27 Thu 11 Jan, Jeff Zimmerman wrote:
> > I've got an old server (OpenBSD 4.7 old) with a mixed bag of password
> > hashes in master.passwd. A majority of the passwords (hundreds) are
> > old salted DES crypt format.
> >
> > Am I correct in my research that everything but Blowfish was removed
> > from crypt() around OpenBSD 5.7? Are there any workarounds for me
> > using the old DES password hashes, or do we need to 'passwd <user>'
> > for hundreds of users?
>
> Use LDAP already.
>

We don't really know his situation.
LDAP could be major overkill...

Reply | Threaded
Open this post in threaded view
|

Re: Options for dealing with DES crypt password file

Jeff Zimmerman
In reply to this post by Jeff Zimmerman
I appreciate the suggestion but yeah, LDAP is totally overkill here. There's really only this one server that needs access to the auth info in the passwd file, so LDAP wouldn't really help me.

Reply | Threaded
Open this post in threaded view
|

Re: Options for dealing with DES crypt password file

Thomas Bohl-2
In reply to this post by Jeff Zimmerman
> Are there any workarounds for me using the old DES password hashes, or do we need to 'passwd <user>' for hundreds of users?
>

You could give John the Ripper a try.