/etc/passwd

Bruce Dubbs bdubbs at swbell.net
Thu Jan 17 13:15:39 PST 2002


Matthias Benkmann wrote:
> On 17 Jan 2002, at 11:27, Bruce Dubbs wrote:
> 
> 
>>Matthias Benkmann wrote:
>>
>>>On 17 Jan 2002, at 10:47, Bruce Dubbs wrote:
>>>
>>>
>>>
>>>>password?  If you were cracking passwords a lot, you could just generate
>>>>all combinations up to a certain length on a large hard disk and do a
>>>>binary search on the digest and get any of those PWs in less than a
>>>>second.
>>>>
>>>>
>>>To prevent this, a so-called salt is used. You do not only encrypt the
>>>
> 
>>This is true over the net with such programs as ssh in negotiating 
>>session passwords, but is it also true with a console logon?  
>>
> 
> man crypt gives
> 
> char *crypt(const char *key, const char *salt);
> 
> 
> so the standard crypt() function uses a salt.
> 
> I don't see
> 
>>how the system would know what salt to apply--it would have to be saved
>>someplace.
>>
> 
> It's saved in /etc/passwd along with the encrypted password.

Yes, I jsut looked it up and was browsing the code.  The first two 
characters of the encrypted password are the salt and the other 11 are 
the DES hashed password encoded in ascii.  The DES hash is 56 bits and 
the Salt gives another 4096 variations.

I also varified that indeed the crypt function only uses the first eight 
characters of the clear text password.

   -- Bruce

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message



More information about the lfs-security mailing list