Generating encrypted passwords
Gregory Bond
application (i.e. not in /etc/master.passwd).
AFAICT there are no utilities in FreeBSD 4 that will do this. So I whipped up a
10-line perl script to build a random salt, get the password and call crypt().
This is OK, but uglier and harder than it needs to be (as I had to fossick
around a bit to find the right way to generate a salt.)
Is this something worth adding to (e.g.) pw(8)? If so, I can whip up some
patches.....
To Unsubscribe: send mail to majo...@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Juha Saarinen
> I need to generate some encrypted passwords in a config file for an
> application (i.e. not in /etc/master.passwd).
>
> AFAICT there are no utilities in FreeBSD 4 that will do this. So I whipped up a
> 10-line perl script to build a random salt, get the password and call crypt().
> This is OK, but uglier and harder than it needs to be (as I had to fossick
> around a bit to find the right way to generate a salt.)
Here's another example:
http://www.lanexperts.com/mengle/programming/perl/genpw/genpw.pl
--
Regards,
Juha
PGP fingerprint:
B7E1 CC52 5FCA 9756 B502 10C8 4CD8 B066 12F3 9544
Gregory Bond
> http://www.lanexperts.com/mengle/programming/perl/genpw/genpw.pl
You misunderstand me. The problem is not to generate a suitable plaintext
password, the problem is to generate the encrypted version once you have a
plaintext. AFAICT the only programs in FreeBSD that can do that (passwd(1) and
pw(8)) only operate on /etc/master.passwd.
Juha Saarinen
:: password, the problem is to generate the encrypted version
:: once you have a
:: plaintext. AFAICT the only programs in FreeBSD that can do
:: that (passwd(1) and
:: pw(8)) only operate on /etc/master.passwd.
Ooops... too quick on the send button there. ;-)
Disregard.
-- Juha
Steve Coltrin
>application (i.e. not in /etc/master.passwd).
>AFAICT there are no utilities in FreeBSD 4 that will do this.
/usr/libexec/makekey
Gregory Bond
Thanks. That'll do, even tho it's pretty clumsy and DES only (no MD5
passwords) and doesn't pick a salt for you.
I might look at beefing it up a bit. (OK, a lot!)
Walter Campbell
> > /usr/libexec/makekey
>
> Thanks. That'll do, even tho it's pretty clumsy and DES only (no MD5
> passwords) and doesn't pick a salt for you.
>
> I might look at beefing it up a bit. (OK, a lot!)
Most IRC servers include an mkpasswd utility. Hybrid 7 comes with one
that can generate both DES and MD5, and allows you to specify a salt,
or have it generate a random one. I put a copy of it up at
http://ircd.botbay.net/pub/Other_Tools/mkpasswd.c (or
ftp://ircd.botbay.net/pub/Other_Tools/mkpasswd.c )
Jim Weeks
.htpasswd file. I feed it Username: $Form{'login'},
NewPass: $Form{'np'}, and VerifyPass: $Form{'vp'} from a web
form.
Maybe it will give you some ideas ;-)
--
Jim Weeks
#!/usr/bin/perl
if ($ENV{'REQUEST_METHOD'} eq "GET") {
$buffer = $ENV{'QUERY_STRING'};
}
elsif ($ENV{'REQUEST_METHOD'} eq "POST") {
read(STDIN,$buffer,$ENV{'CONTENT_LENGTH'});
}
@cgiPairs = split(/&/,$buffer);
foreach $cgiPair (@cgiPairs){
($name,$value) = split(/=/,$cgiPair);
$value =~ s/\+/ /g;
$value =~ s/%(..)/pack("c",hex($1))/ge;
$Form{$name} .= "\0" if (defined($Form{$name}));
$Form{$name} .= "$value";
}
undef $name; undef $value;
print "Content-Type: text/html\n\n"; # Start HTML output.
unless ($Form{'login'}) {
print "No user name was entered";
exit;
}
unless ($Form{'np'} && $Form{'vp'}) {
print "Please enter your password in both boxes";
exit;
}
if ($Form{'np'} ne $Form{'vp'}) {
print "Passwords do not match";
exit;
}
else {
@passset = ('a'..'z');
for ($i = 0; $i < 2; $i++) {
$randum_num = int(rand($#passset + 1));
$salt .= @passset[$randum_num];
}
$htpass = crypt($Form{'np'}, "$salt");
print "$Form{'login'}:";
print "$htpass\n";
}
On Tue, 10 Jul 2001, Gregory Bond wrote:
Jim Weeks
lines responsible for creating the salt.
@passset = ('a'..'z');
for ($i = 0; $i < 2; $i++) {
$randum_num = int(rand($#passset + 1));
$salt .= @passset[$randum_num];
}
$htpass = crypt($Form{'np'}, "$salt");
--
Jim Weeks
Mike Tancsa
What about a
srand (time ^ $$ ^ unpack "%L*", `ps -auxw | gzip`);
at the start of your program
and
for the salt, I use this to generate md5 salts which I think I got from
cpan IIRC.
sub salt {
local($salt); # initialization
local($i, $rand);
local(@itoa64) = ( '0' .. '9', 'a' .. 'z', 'A' .. 'Z' ); # 0 .. 63
warn "calculate salt\n" if $verbose > 1;
# to64
for ($i = 0; $i < 8; $i++) {
$rand = rand(25*29*17 + $rand);
$salt .= $itoa64[$rand & $#itoa64];
}
warn "Salt is: $salt\n";
return $salt;
}
>@passset = ('a'..'z');
> for ($i = 0; $i < 2; $i++) {
> $randum_num = int(rand($#passset + 1));
> $salt .= @passset[$randum_num];
> }
>$htpass = crypt($Form{'np'}, "$salt");
>
>print "$Form{'login'}:";
>print "$htpass\n";
>}
>
>
>On Tue, 10 Jul 2001, Gregory Bond wrote:
>
--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Network Administration, mi...@sentex.net
Sentex Communications www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike
HIRATA Yasuyuki
From: Mike Tancsa <mi...@sentex.net>
To: Jim Weeks <j...@siteplus.net>
Subject: Re: Generating encrypted passwords
Date: Tue, 10 Jul 2001 08:23:47 -0400
Message-ID: <4.2.2.20010710...@192.168.0.12>
> What about a
> srand (time ^ $$ ^ unpack "%L*", `ps -auxw | gzip`);
>
> at the start of your program
If you use perl 5.005 or later, it's better to call srand without seed
or not to call srand at all. See perldoc -f srand for detail.
----
HIRATA Yasuyuki http://yasu.asuka.net/
Walter Campbell
0-9 . and /
Mike Tancsa
> > What about a
> > srand (time ^ $$ ^ unpack "%L*", `ps -auxw | gzip`);
> >
> > at the start of your program
>
>or not to call srand at all. See perldoc -f srand for detail.
Hi,
but the same perldoc says,
....
Note that you need something much more random than the default seed for
cryptographic purposes. Checksumming the compressed output of one or more
rapidly changing operating system status programs is the usual method. For
example:
srand (time ^ $$ ^ unpack "%L*", `ps axww | gzip`);
HIRATA Yasuyuki
From: Mike Tancsa <mi...@sentex.net>
To: HIRATA Yasuyuki <ya...@asuka.net>
Subject: Re: Generating encrypted passwords
Date: Tue, 10 Jul 2001 10:24:55 -0400
Message-ID: <5.1.0.14.0.200107...@marble.sentex.ca>
> > > What about a
> > > srand (time ^ $$ ^ unpack "%L*", `ps -auxw | gzip`);
> > >
> > > at the start of your program
> >
> >If you use perl 5.005 or later, it's better to call srand without seed
> >or not to call srand at all. See perldoc -f srand for detail.
>
> Hi,
> but the same perldoc says,
>
> ....
> Note that you need something much more random than the default seed for
> cryptographic purposes. Checksumming the compressed output of one or more
> rapidly changing operating system status programs is the usual method. For
> example:
>
> srand (time ^ $$ ^ unpack "%L*", `ps axww | gzip`);
Oh, I missed the purpose. In this case, checksumming the gzip's
output seems better.
Thanks.
----
HIRATA Yasuyuki http://yasu.asuka.net/
To Unsubscribe: send mail to majo...@FreeBSD.org
Jason Andresen
>
> At 10:01 PM 7/10/01 +0900, HIRATA Yasuyuki wrote:
> > > What about a
> > > srand (time ^ $$ ^ unpack "%L*", `ps -auxw | gzip`);
> > >
> > > at the start of your program
> >
> >If you use perl 5.005 or later, it's better to call srand without seed
> >or not to call srand at all. See perldoc -f srand for detail.
>
> Hi,
> but the same perldoc says,
>
> ....
> Note that you need something much more random than the default seed for
> cryptographic purposes. Checksumming the compressed output of one or more
> rapidly changing operating system status programs is the usual method. For
> example:
>
> srand (time ^ $$ ^ unpack "%L*", `ps axww | gzip`);
Doesn't the default seed just use /dev/urandom? I thought /dev/urandom
was good enough for seeding consumer type crypto stuff. Of course
if you don't have /dev/urandom is just uses it's process ID and the
system time, which is certainly not good enough for any kind of
crypto.
At least the manpage isn't telling you to grab the first two bytes
off of a gzip output of ps axww, since that always returned the magic
number for gzip.
--
\ |_ _|__ __|_ \ __| Jason Andresen jand...@mitre.org
|\/ | | | / _| Network and Distributed Systems Engineer
_| _|___| _| _|_\___| Office: 703-883-7755
HIRATA Yasuyuki
From: Jason Andresen <jand...@mitre.org>
To: Mike Tancsa <mi...@sentex.net>
Subject: Re: Generating encrypted passwords
Date: Tue, 10 Jul 2001 11:56:26 -0400
Message-ID: <3B4B25A9...@mitre.org>
> Doesn't the default seed just use /dev/urandom? I thought /dev/urandom
> was good enough for seeding consumer type crypto stuff. Of course
> if you don't have /dev/urandom is just uses it's process ID and the
> system time, which is certainly not good enough for any kind of
> crypto.
random(4) manpage says:
| As more and more random bytes are requested without giving time for
| the entropy pool to recharge, this will result in lower quality
| random numbers.
I do not know weather it's enough or not. Do you think it is suitable
for cryptographic purposes?
> > srand (time ^ $$ ^ unpack "%L*", `ps axww | gzip`);
>
> At least the manpage isn't telling you to grab the first two bytes
> off of a gzip output of ps axww, since that always returned the magic
> number for gzip.
npack "%L*" returns 32-bit checksum of the string, so you do not need
to grab the first two.
----
HIRATA Yasuyuki http://yasu.asuka.net/
To Unsubscribe: send mail to majo...@FreeBSD.org
ian j hart
Does htpasswd (with apache) do what you want?
--
ian j hart
Adrian Filipi-Martin
> I need to generate some encrypted passwords in a config file for an
> application (i.e. not in /etc/master.passwd).
>
> AFAICT there are no utilities in FreeBSD 4 that will do this. So I whipped up a
> 10-line perl script to build a random salt, get the password and call crypt().
> This is OK, but uglier and harder than it needs to be (as I had to fossick
> around a bit to find the right way to generate a salt.)
>
> Is this something worth adding to (e.g.) pw(8)? If so, I can whip up some
> patches.....
I thinks this is what you want:
: adrian@lorax; openssl passwd -h
Usage: passwd [options] [passwords]
where options are
-crypt standard Unix password algorithm (default)
-1 MD5-based password algorithm
-apr1 MD5-based password algorithm, Apache variant
-salt string use provided salt
-in file read passwords from file
-stdin read passwords from stdin
-quiet no warnings
-table format output as table
-reverse switch table columns
Unfortunately the md5 formats do not seem to be compatible with
OpenBSD's use of them and I believe FreeBSD's is similar. If you got that
working, I think all the interesting cases could be handled by openssl.
Note, it does generate the salt for you.
Adrian
--
[ adr...@ubergeeks.com ]
Gregory Bond
bin/28885.
And regarding srand for generating salts: No need for crypto-level randomness
as the salts are public knowledge anyway. Only requirement is that they are
reasonably flatly distributed across the salt-space. (Is that a word??)
Jan L. Peterson
> A DES (and MD5) salt (and the rest of the hash) can contain a-z A-Z
> 0-9 . and /
Exactly... since we seem to be sharing, here's my script.
No comments, please, about how it's not a very good password. It's good
enough for my purposes (generating an initial password for a user
account or htaccess file, typically). I know that crack would eat these
passwords for breakfast.
I use a different algorithm for generating passwords that are
"important"... the FIPS 181 standard.
-jan-
--
Jan L. Peterson
<j...@runbox.com>
Kris Kennaway
> I need to generate some encrypted passwords in a config file for an
> application (i.e. not in /etc/master.passwd).
>
> AFAICT there are no utilities in FreeBSD 4 that will do this.
openssl passwd
Kris