Re: Unix Password Encryption Procedures

• Previous message: Bill Marcum: "Re: Unix Password Encryption Procedures"
• In reply to: Kushal Agarwal: "Unix Password Encryption Procedures"
• Next in thread: Kushal Agarwal: "Re: Unix Password Encryption Procedures"
• Reply: Kushal Agarwal: "Re: Unix Password Encryption Procedures"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Mon, 27 Sep 2004 17:36:13 -0500

On 27 Sep 2004 13:39:48 -0700, Kushal Agarwal said something similar to:
:
: I know that most Unix machines either use the DES encryption algorithm
: or the MD5 encryption algorithm, I am wondering if there is any
: flavour of unix which uses the kerberos (or anyother) methodology?

Unix _hashes_ passwords, it does not _encrypt_ them. There is no
such thing as the "MD5 encryption algorithm". MD5 is a hash algorithm.

To answer your question, there are (to my knowledge) four password
hashing methods in common use on Unix systems:

        * The traditional DES based algorithm.
        * An algorithm based on MD5. The use of this algorithm is
          generally denoted by prepending the string "$1$" to the
          salt+hash in /etc/passwd | /etc/shadow. The MD5 algorithm
          is found on most of the *BSD flavors, Linux, and Solaris 9
          (among others).
        * An algorithm based on Blowfish. This one is denoted by
          the prepended string "$2a$" in the hash. OpenBSD, some
          Linux distributions (but not all), and Solaris 9 are among
          the systems supporting this algorithm.
        * A second MD5 based algorithm, sometimes known as Sun-MD5.
          This is AFAIK only found in Solaris 9.

As to Kerberos, many Linux distributions come with Kerberos implementations,
as do some of the *BSDs. Solaris has been slowly adding more and more
bits of SEAM (Sun's Kerberos implementation) into the OS.
It is however, not the default on any of these platforms. Someone
has to setup a Kerberos realm and configure the systems to authenticate
against it.

Some administrators have also been known to setup systems to authenticate
via binding against an LDAP directory using PAM or BSD AUTH.

There's also RADIUS, OTP, TACACS, SRP, etc. and so forth.

: Additonally, I know that the function crypt() is able to encrypt using
: either the DES or the MD5 algorithm, depending on the salt supplied
: with the function. I am curious as to given an encrypted string, is
: there any "clean" (via a function(s)) way to determine what method was
: used to encrypt the original string. I need to know how the original
: string was encrypted so that I can use the same procedure to encrypt
: the entered string (so that I may compare the stored and entered
: strings).

If you're just trying to validate passwords against a database of
crypt(3) hashes, simply pass the stored hash you're comparing to
crypt(3) as the salt field and let it figure it out.

If you're trying to write something to authenticate users against whatever
backend mechanism your OS is configured to use, be it traditional passwords,
Kerberos, LDAP, or what have you, then you're going to have to determine what
mechanism your OS uses to verify passwords and use that.

Most Linux and System Vish systems use PAM (Pluggable Authentication
Modules) to alow the administrator "plug in" arbitrary authentication
methods. On those you'd call PAM and let it worry about the
authentication (obviously I'm grossly oversimplifying here).
The *BSD systems tend to use BSD AUTH for the same purpose (though
some support PAM as well).

• Previous message: Bill Marcum: "Re: Unix Password Encryption Procedures"
• In reply to: Kushal Agarwal: "Unix Password Encryption Procedures"
• Next in thread: Kushal Agarwal: "Re: Unix Password Encryption Procedures"
• Reply: Kushal Agarwal: "Re: Unix Password Encryption Procedures"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]