plain text password

[Naga Suresh B]

Hai,

How can I change the password file into a plain text password, it
should not use any authentication either MD5 or Pam. I need this solution as
early as possible.

Suresh

To Unsubscribe: send mail to majo...@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

[Peter C. Lai]

Hashes are not reversible, so passwords in the password file
are not recoverable to plaintext. (this is not to say you can't
try to guess the password by applying the hash to your guess
and see if it matches the hash in the file).

--
Peter C. Lai
University of Connecticut
Dept. of Molecular and Cell Biology | Undergraduate Research Assistant
Yale University School of Medicine
Center for Medical Informatics | Research Assistant
http://cowbert.2y.net/

[Chris BeHanna]

On Sat, 13 Jul 2002, Naga Suresh B wrote:

> How can I change the password file into a plain text password, it
> should not use any authentication either MD5 or Pam. I need this solution as
> early as possible.

You can't. If you must have plain text passwords (why?), you'll have
to cobble a solution together yourself.

--
Chris BeHanna http://www.pennasoft.com
Principal Consultant
PennaSoft Corporation
ch...@pennasoft.com

[Darren Pilgrim]

Naga Suresh B wrote:
>
> Hai,
>
> How can I change the password file into a plain text password, it
> should not use any authentication either MD5 or Pam. I need this solution as
> early as possible.

There are programs in ports that you can use to do dictionary and
exhaustive attacks against the hashes. This is the only way to get
the plaintext passwords. After that, the method you use for storing
the plaintext outside of the system password database is up to you.
If you actually want the pwdb to use plaintext instead of hashes,
you'll need to hack the source yourself as the password system was not
designed to not use crypto. Start with getpass(3), read the source
for /usr/bin/passwd, etc.

[Naga Suresh B]

Hai,
The solution which u had given is very nice.But it is not putting
properly in the htpasswd file we made a small change to u r script. After
making that change it started working fine. Thanks for u r help.
I am giving the altered script below:-

cat /etc/master.passwd | awk -F":" '{ printf("%s:%s\n", $1, $2) }' >
/usr/local/www/site/phpMyadmin/httpd_access

----- Original Message -----
From: "Chris BeHanna" <beh...@zbzoom.net>
To: "Naga Suresh B" <torv...@addr.com>
Sent: Monday, July 15, 2002 10:03 AM
Subject: Re: plain text password

> On Mon, 15 Jul 2002, Naga Suresh B wrote:
>
> > I want to create users with plain text password I want to make use of
> > /etc/passwd file to be accessed through apache.
>
> This is very dangerous. Plain-text passwords in general are a
> very bad idea.
>
> Note that Apache supports both DES (older crypt()-style) and MD5
> password hashes in the htpasswd program.
>
> > I want to globalise the passwd facility in our company. If I create
> > a user and passwd on the server he must be able to access the
> > intranet, server with the same password, Please give me if any
> > solution is there for this, I know how to do that on Linux is there
> > anything like that on FreeBSD Please give me solution. solution as
> > early as possible.
>
> To do what you want to do, I'd suggest something like this:
>
> cat /etc/master.passwd | awk -F":" '{ printf("%s:%s", $1, $2) }' >
/usr/local/etc/apache/htpasswd
>
> Run it out of cron every so often, or put together a passwd change
> script that users should use that will automatically run the above
> command every time the user changes his or her password.
>
> Presto: now you have unified passwords WITHOUT the folly of using
> plaintext passwords.
>
> --
> Chris BeHanna
> Software Engineer (Remove "bogus" before responding.)
> beh...@bogus.zbzoom.net
> Turning coffee into software since 1990.