Date: Thu, 7 Jun 2001 22:02:27 +0200 From: "Karsten W. Rohrbach" <karsten@rohrbach.de> To: Ralph Huntington <rjh@mohawk.net> Cc: David Miner <david@slis-two.lis.fsu.edu>, edwin chan <huacheng@public.guangzhou.gd.cn>, Olivier Nicole <Olivier.Nicole@ait.ac.th>, freebsd-security@FreeBSD.ORG Subject: Re: Encrypted passwords Message-ID: <20010607220227.W59617@mail.webmonster.de> In-Reply-To: <Pine.BSF.4.21.0106071456550.93163-100000@mohegan.mohawk.net>; from rjh@mohawk.net on Thu, Jun 07, 2001 at 03:15:38PM -0400 References: <Pine.BSF.4.30_heb2.09.0106071439270.64212-100000@slis-two.lis.fsu.edu> <Pine.BSF.4.21.0106071456550.93163-100000@mohegan.mohawk.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--oNLI4EWr1RPQuPCf Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable correct me if i am just stupid, but i don't get the point echo -n passW0Rd | pw -u testuser -h 1 sets the password of "testuser" to "passW0Rd", soring it in the auth system you prefer in encrypted form. am i missing something? /k Ralph Huntington(rjh@mohawk.net)@2001.06.07 15:15:38 +0000: > I use "expect" and a script-generated script for encrypting the passwd. > Here's the shell script my account-maker script generates and then runs to > set the password. This happens after the account-maker script uses "pw" to > make the actual user account (which puts a "*" in the passwd field).=20 >=20 > #!/usr/local/bin/expect > set argv username > spawn -noecho passwd [lindex $argv 0] > expect "Changing local password for username." > send "" > expect "word:" > send "PassWord\r" > expect "word:" > send "PassWord\r" > expect eof >=20 > Obviously, have your script replace "username" with the actual username > and "PassWord" with the actual plaintext password. For security. have your > script unlink the expect script after it has run. >=20 > This just uses the "passwd" command non-interactively thanks to the expect > utility. It may not be terribly elegant, but I use this every day and it > works fine. I hope it's useful for you!=20 >=20 > Ralph >=20 > On Thu, 7 Jun 2001, David Miner wrote: >=20 > > On Thu, 7 Jun 2001, Karsten W. Rohrbach wrote: > >=20 > > > a simple script using pwgen(1) from the ports collection to generate = the > > > cleartext password, using pw(8)'s instrumentation for passing a passw= ord > > > to it via filehandle would simplify things a bit, i think. > > > /k > > > > > It's not the generation of the passwords that is the problem. It's the > > encryption. > >=20 > > I put print statements into the program, created two users, and check > > vipw. > >=20 > > These are the outputs: > >=20 > > entries in pwd.db: > >=20 > > try-1:wUe7aHIXK/8O.:1260:1337::0:0:LIStry-1:/usr/try-1:/bin/csh > > try-2:tgx8fwK0d6cQM:1261:1338::0:0:LIStry-2:/usr/try-2:/bin/csh > >=20 > > Program output: > >=20 > > Enter password file name: pw7 > > Password file read > > Enter path to home directories: /usr > > Enter class name: try > > Enter first number wanted: 1 > > Enter number of users wanted: 2 > > try-1 chock1 > >=20 > > wUlVdJxRtry-1 /usr/try-1 wUe7aHIXK/8O. > > chpass: updating the database... > > chpass: done > > try-2 chock1 > >=20 > > tgtM0gIZtry-2 /usr/try-2 tgx8fwK0d6cQM > > chpass: updating the database... > > chpass: done > >=20 > > Notice that the encrypted password from the program appears to be the s= ame > > as reported in vipw. But the user cannot login with the password. > >=20 > > David > > --------------------------------------------------------------------- > > David R. Miner miner@lis.fsu.edu > > Systems Integrator voice: 850-644-8107 > > School of Information Studies fax: 850-644-6253 > > Florida State University > > Tallahassee, FL 32306-2100 > >=20 > >=20 > >=20 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > >=20 >=20 >=20 --=20 > "Niklaus Wirth has lamented that, whereas Europeans pronounce his name > correctly (Ni-klows Virt), Americans invariably mangle it into > (Nick-les Worth). Which is to say that Europeans call him by name, but > Americans call him by value." KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 --oNLI4EWr1RPQuPCf Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7H93SM0BPTilkv0YRAhq8AKCRF35gi1Sh6NP8aMXRaiv3hiQw3wCcCT7X nHjbs0rpVSkWsLRCie7uxcg= =JAF3 -----END PGP SIGNATURE----- --oNLI4EWr1RPQuPCf-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010607220227.W59617>