SUMMARY: NIS+ password encryption question

Michel Pilon (pilonm@CCG.RNCan.gc.ca)
Thu, 27 Nov 1997 17:41:37 -0500 (EST)

Hi,

Oh my!!! The answer to my original post was my original post!!!

Original post:

> From time to time I have to generate encrypted password without associate it
> directly to a user Solaris account (it can be passwords for xtacacs, passwords
> for protected httpd directories, etc). I know that these passwords use the
> same encryption algorithms than NIS+.
>
> I modified a c program to use the function crypt() (Solaris 2.5)
> to create encrypted password.
>
> Here is the code segment:
>
> {
> salt[0]=line[0];
> salt[1]=line[1];
> printf("%s\n",crypt(line,salt));
> }
>
> where line corresponds to the non encrypted password.
>
> As you can see, the salt is given by the 2 first characters of the
> non encrypted password.
>
> When I run the program, the encrypted password do not corresponds to the one
> in NIS+ passwd table. So I do not use the good salt!
>
> (imagine my password is "aloha", then
> 'niscat passwd|grep elvis' gives me "elvis:wejfUUSjsIw2kY:..." and my program
> gives me a completly different string.)
>
> Finally, my questions are:
>
> 1) What salt should I use to encrypt a text password into an encrypted
> password unserstandable by NIS+?

The answer is: Everything is correct!!! It is normal the new encrypted string
is different than the one NIS+ generated since the salt is different! In my
script, the salt I am using is the first 2 caracters of my UNENcrypted future
password. So the resulting string is different. But NIS+ will be able to
decrypt this new string using the 2 first characters of the new ENcrypted
password!!! And so for xtacacs!

And then my routine is correct and does exactly what I want.

% generate_password pegasus
geY7ORqvrskNo
%

Here the salt the script use is "pe"

I just have to put geY7ORqvrskNo in my xtacacs_passwd and even in my
/etc/shadow file and that's it!
My new password is now pegasus!!!

Thank you to Casper Dik who showed me the light with its comment:

> You wrongly initialize salt.

> Typical crypt usage is:

> crypt(line, encrypted_password);

> Teh first two characters of the encrypted password are the salt.
> Not teh first two of teh unencrypted password (that would make
> password guessing trivial)

So a big thank to

Casper Dik <casper@holland.Sun.COM>
Simon-Bernard Drolet <Simon-Bernard.Drolet@M3iSystems.com>

PS. I adore this list :-)

--
Michel Pilon                        E-mail: michel.pilon@CCG.RNCan.gc.ca
Administrateur de systemes Unix     Tel:    (819) 564-4819
Centre d'information topographique  Fax:    (819) 564-5698
2144 King Ouest, suite 010, Sherbrooke, Quebec, Canada, J1J 2E8
http://cyniska.ubishops.ca/pilonm