Site Navigation

Date:      Thu, 7 Jun 2001 22:02:27 +0200
From:      "Karsten W. Rohrbach" <karsten@rohrbach.de>
To:        Ralph Huntington <rjh@mohawk.net>
Cc:        David Miner <david@slis-two.lis.fsu.edu>, edwin chan <huacheng@public.guangzhou.gd.cn>, Olivier Nicole <Olivier.Nicole@ait.ac.th>, freebsd-security@FreeBSD.ORG
Subject:   Re: Encrypted passwords
Message-ID:  <20010607220227.W59617@mail.webmonster.de>
In-Reply-To: <Pine.BSF.4.21.0106071456550.93163-100000@mohegan.mohawk.net>; from rjh@mohawk.net on Thu, Jun 07, 2001 at 03:15:38PM -0400
References:  <Pine.BSF.4.30_heb2.09.0106071439270.64212-100000@slis-two.lis.fsu.edu> <Pine.BSF.4.21.0106071456550.93163-100000@mohegan.mohawk.net>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

--oNLI4EWr1RPQuPCf
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

correct me if i am just stupid, but i don't get the point
    echo -n passW0Rd | pw -u testuser -h 1
sets the password of "testuser" to "passW0Rd", soring it in the auth
system you prefer in encrypted form. am i missing something?

/k


Ralph Huntington(rjh@mohawk.net)@2001.06.07 15:15:38 +0000:
> I use "expect" and a script-generated script for encrypting the passwd.
> Here's the shell script my account-maker script generates and then runs to
> set the password. This happens after the account-maker script uses "pw" to
> make the actual user account (which puts a "*" in the passwd field).=20
>=20
> #!/usr/local/bin/expect
> set argv username
> spawn -noecho passwd [lindex $argv 0]
> expect "Changing local password for username."
> send ""
> expect "word:"
> send "PassWord\r"
> expect "word:"
> send "PassWord\r"
> expect eof
>=20
> Obviously, have your script replace "username" with the actual username
> and "PassWord" with the actual plaintext password. For security. have your
> script unlink the expect script after it has run.
>=20
> This just uses the "passwd" command non-interactively thanks to the expect
> utility. It may not be terribly elegant, but I use this every day and it
> works fine. I hope it's useful for you!=20
>=20
> 	Ralph
>=20
> On Thu, 7 Jun 2001, David Miner wrote:
>=20
> > On Thu, 7 Jun 2001, Karsten W. Rohrbach wrote:
> >=20
> > > a simple script using pwgen(1) from the ports collection to generate =
the
> > > cleartext password, using pw(8)'s instrumentation for passing a passw=
ord
> > > to it via filehandle would simplify things a bit, i think.
> > > /k
> > >
> > It's not the generation of the passwords that is the problem.  It's the
> > encryption.
> >=20
> > I put print statements into the program, created two users, and check
> > vipw.
> >=20
> > These are the outputs:
> >=20
> > entries in pwd.db:
> >=20
> > try-1:wUe7aHIXK/8O.:1260:1337::0:0:LIStry-1:/usr/try-1:/bin/csh
> > try-2:tgx8fwK0d6cQM:1261:1338::0:0:LIStry-2:/usr/try-2:/bin/csh
> >=20
> > Program output:
> >=20
> > Enter password file name:  pw7
> > Password file read
> > Enter path to home directories: /usr
> > Enter class name: try
> > Enter first number wanted: 1
> > Enter number of users wanted: 2
> > try-1 chock1
> >=20
> > wUlVdJxRtry-1 /usr/try-1 wUe7aHIXK/8O.
> > chpass: updating the database...
> > chpass: done
> > try-2 chock1
> >=20
> > tgtM0gIZtry-2 /usr/try-2 tgx8fwK0d6cQM
> > chpass: updating the database...
> > chpass: done
> >=20
> > Notice that the encrypted password from the program appears to be the s=
ame
> > as reported in vipw.  But the user cannot login with the password.
> >=20
> > David
> > ---------------------------------------------------------------------
> > David R. Miner                                   miner@lis.fsu.edu
> > Systems Integrator                               voice: 850-644-8107
> > School of Information Studies                    fax:   850-644-6253
> > Florida State University
> > Tallahassee, FL  32306-2100
> >=20
> >=20
> >=20
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
> >=20
>=20
>=20

--=20
> "Niklaus Wirth has lamented that, whereas Europeans pronounce his name
> correctly (Ni-klows Virt), Americans invariably mangle it into
> (Nick-les Worth).  Which is to say that Europeans call him by name, but
> Americans call him by value."
KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie
http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n=
et/
karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de
GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE  DF22 3340 4F4E 2964 B=
F46

--oNLI4EWr1RPQuPCf
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE7H93SM0BPTilkv0YRAhq8AKCRF35gi1Sh6NP8aMXRaiv3hiQw3wCcCT7X
nHjbs0rpVSkWsLRCie7uxcg=
=JAF3
-----END PGP SIGNATURE-----

--oNLI4EWr1RPQuPCf--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010607220227.W59617>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact