From owner-freebsd-security Tue Jun 15 9:17:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from serveri.netti.fi (serveri.netti.fi [195.16.192.130]) by hub.freebsd.org (Postfix) with ESMTP id 8E6B6155D3 for ; Tue, 15 Jun 1999 09:16:59 -0700 (PDT) (envelope-from yurtesen@ispro.net.tr) Received: from ispro.net.tr (dyn-1-069.tku.netti.fi [195.16.222.70]) by serveri.netti.fi (8.8.8/8.8.3) with ESMTP id TAA03788; Tue, 15 Jun 1999 19:16:42 +0300 Message-ID: <37667C35.68E9E594@ispro.net.tr> Date: Tue, 15 Jun 1999 19:15:50 +0300 From: Evren Yurtesen X-Mailer: Mozilla 4.51 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Holtor Cc: freebsd-security@FreeBSD.ORG Subject: Re: DES & MD5? References: <19990615104334.23910.rocketmail@web128.yahoomail.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, I think when you use MD5 or DES you can still have different kind of passwords in your password file. I have found this when I accidentally changed from DES to MD5 at an installation and it was working (we did not even understand the difference till we saw the long passwords in the password file!) but I do not know if it would work on your system, or if you are using special programs which may get effected from the change... let me give you a MD5 string for you to try. $1$kBCe/$LdWM8ViTcI4PTPTUJ5aCF1 the password is md5test just create a user and use chfn to set user details chfn username put this string into the password field when you get into user details then you can try to login using the password md5test and you will see that it will work even though when you are using DES your system can handle MD5 encryption algorithm. there is some information about DES and MD5 http://www.freebsd.org/handbook/security.html#CRYPT ---------------------------------------------------------------- For example, on a system using the DES versions: % ls -l /usr/lib/libcrypt* lrwxr-xr-x 1 root wheel 13 Mar 19 06:56 libcrypt.a -> libdescrypt.a lrwxr-xr-x 1 root wheel 18 Mar 19 06:56 libcrypt.so.2.0 -> libdescrypt.so.2.0 lrwxr-xr-x 1 root wheel 15 Mar 19 06:56 libcrypt_p.a -> libdescrypt_p.a On a system using the MD5-based libraries, the same links will be present, but the target will be libscrypt rather than libdescrypt. ---------------------------------------------------------------- according to this text if you just change the links your system will start to produce MD5 passwords on new accounts (but I think if you change the password of an account it still produces DES if the previous encryption algorithm was DES, if the account had an MD5 password it will still have an MD5 password after you change the password with passwd.) Holtor wrote: > So there really is no easy way to convert. > I just wanted to move everything to MD5. > Then just go in, and change each users password > and e-mail them all. I'm really not an expert > with hacking source code, i know i'd probably screw > it up horribly. My original intent was that if someone > broke in, I figure MD5 passwords would be harder > to break. > > Holt > > --- Poul-Henning Kamp wrote: > > In message > > <199906150658.AAA90712@harmony.village.org>, Warner > > Losh writes: > > >In message <5182.929429344@critter.freebsd.dk> > > Poul-Henning Kamp writes: > > >: Uhm, sorry Warner, but that is not true. A brute > > force attack on > > >: MD5 is many orders of magnitude slower than on > > DES. > > > > > >Wouldn't that cause lots of messages to be logged > > about failed login > > >attempts? I was talking about the case where no > > one can get the > > >encrypted passwords. I do suppose this assumes > > that all the programs > > >that do login verification do syslogs failures... > > > > Which I must admit I have never verified that they > > do. I don't > > think a brute force attack without the scrambled > > passwords is > > sufficiently feasible to be attempted, for one thing > > you reveal > > your source-IP or tty/terminal identity, but even > > so, MD5 takes > > longer to computer than DES. > > > > >I agree that MD5 is better when the possibility of > > disclosure of the > > >encrypted passwords exists... > > > > Which it always does, it's only a matter of at which > > probability. > > > > -- > > Poul-Henning Kamp FreeBSD coreteam > > member > > phk@FreeBSD.ORG "Real hackers run > > -current on their laptop." > > FreeBSD -- It will take a long time before progress > > goes too far! > > > > _________________________________________________________ > Do You Yahoo!? > Get your free @yahoo.com address at http://mail.yahoo.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message