Cfengine Help: Re: Managing user accounts with Cfengine 3

[no-reply]

Forum: Cfengine Help
Subject: Re: Managing user accounts with Cfengine 3
Author: sauer
Link to topic: https://cfengine.com/forum/read.php?3,20993,21006#msg-21006

zzamboni Wrote:
-------------------------------------------------------
> eystein, it should, but I tried it the other day
> and got a "not yet implemented" error :(

I'd be inclined to suggest against the Cfengine hash function for crypt until 
it allows for a configurable salt or string being encryted.  If you use the 
same salt, then your whole shadow file is vulnerable to a single rainbow table. 
 If you vary the salt, then a new table must be calculated for each password.  
You could use the md5 algorithm, but it's more than just one call...

In any event, calculating the hash for the shadow file isn't "just" hashing a 
string.  For regular DES crypt, a string of 8 zeroes (or 11, I can never 
remember - it's all zeroes, either way) is encrypted using the user's password 
as the key, and the random number generation sequence is perturbed using a 
2-character salt.  It's arguably not a hash, as it's really the reversible 
decryption of that string of zeroes using a password.  You verify the password 
by encrypting the same known initial string o' zeroes with the same salt using 
the same password, and verify that the output is the same.  In the case of MD5, 
the thing in shadow isn't the hash of the password.  It works by combining the 
salt and the password, getting the hash for that, and then combining the salt, 
password, and first hash togehter, then hashing that bigger combination.  
Passowrd validation is the same; perform those two steps and see if it matches.

Interestingly, I did learn today that the system crypt function uses MD5 if you 
use a salt that starts with $1$ and is followed by up to 8 chars.  It uses 
sha256 or sha512 if you do the same thing starting with $5$ or $6$ rspectively 
(on a newer system; glibc 2.7 supposeldy, though my RHEL 5 systems with glibc 
2.5 also work).  And therefore, the perl crypt function also does that.


user@host 
$ PASS=blah SALT='ab' perl -le 'print crypt( $ENV{q{PASS}}, $ENV{q{SALT}} )'
ab1O6rZcXQgWU
user@host 
$ PASS=blah SALT='$1$ab' perl -le 'print crypt( $ENV{q{PASS}}, $ENV{q{SALT}} )'
$1$ab$TVvUV3ePmQOLEQeIkM6as/
user@host 
$ PASS=blah SALT='$5$ab' perl -le 'print crypt( $ENV{q{PASS}}, $ENV{q{SALT}} )'
$5$ab$AYG9LUAi06jgh7Ovn4SiWaC.wfGSWKz4JlC4EaPFRzA
user@host 
$ PASS=blah SALT='$6$ab' perl -le 'print crypt( $ENV{q{PASS}}, $ENV{q{SALT}} )'
$6$ab$esleht0ye73kFJMRmVHWTIt2xinfehzGD2Px/ubN4q6tvPxzlQIGD9376JesfGOAKci7u6Xykor20LfGQc1bq0


_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine