Re: Linux and Security

1998-08-20 Thread Lane 
Who was it that said, "if you turn the sausage grinder backwards - you dont
get a pig out."?  I always thought this was a very descriptive way to
explain the unix encryption routine.


-Original Message-
From: Kyle Amon <[EMAIL PROTECTED]>
To: Debian User List 
Cc: [EMAIL PROTECTED] <[EMAIL PROTECTED]>; Michael Beattie
<[EMAIL PROTECTED]>; Joey Hess <[EMAIL PROTECTED]>
Date: Wednesday, August 19, 1998 9:47 PM
Subject: Re: Linux and Security


>-BEGIN PGP SIGNED MESSAGE-
>
>On Wed, 19 Aug 1998, Joey Hess wrote:
>
>> George Bonser wrote:
>> > On Wed, 19 Aug 1998, Michael Beattie wrote:
>> >
>> > > Okay, true, but it was more of a feasability question, "if you can
get the
>> > > string, is it possible to use the following method to decrypt it??"
>> >
>> > Sure ... the login program has to decrypt it, doesn't it? You can
>> > cut/paste passwd entries between linux systems ... the encrypted
password
>> > is not system-specific.
>>
>> No, it's not reversable. There is no way to get the original password
from
>> the data in the shadow password file.
>>
>> Login simply takes the password the user enters, encrypts it using
crypt(),
>> and compares it with that's in the password file. No decryption is done.
>
>Actually a one way hash is used, not encryption.  This is why it is not
>possible to decrypt it -- it quite simply is not encrypted in the first
>place.
>
>- - Kyle
>
>Kyle Amon email: [EMAIL PROTECTED]
>Unix Systems Administratorphone: (203) 486-3290
>Security Specialist   pager: 1-800-759- PIN 1616512
>IBM Global Services  or [EMAIL PROTECTED]
>  email: [EMAIL PROTECTED]
>  url:   http://www.gnutec.com/kyle
>KeyID 1024/26DD13D9
>Fingerprint = 7D 86 D1 AE 4B E9 91 6A  4B BC B5 B4 12 F0 D3 1A
>
>"GNU does not eliminate all the world's problems, only some of them."
>
>- Richard Stallman
>  The GNU Manifesto, 1985
>
>-BEGIN PGP SIGNATURE-
>Version: 2.6.3ia
>Charset: noconv
>
>iQCVAgUBNdrVzMTIuZsm3RPZAQE0agQAuAbthdwpDnUPMxrS1ioBWy1W78sXcaL0
>Due3wZsa0Z6n/NuutSIf8QAFGxN2RLm1xhd1tLg0W4w/2XgTnkInyNB+eU4M7mGz
>3czIfxjcSKm+YGBwzinOtlnm5vCWapqNKTfd4KM9tl3tSN85sPeKdGp0/ntMMrlu
>Sq3wUr4hcU0=
>=sa00
>-END PGP SIGNATURE-
>
>
>--
>Unsubscribe?  mail -s unsubscribe [EMAIL PROTECTED] <
/dev/null
>

Re: Linux and Security

1998-08-19 Thread Kyle Amon 
-BEGIN PGP SIGNED MESSAGE-

On Wed, 19 Aug 1998, Joey Hess wrote:

> George Bonser wrote:
> > On Wed, 19 Aug 1998, Michael Beattie wrote:
> > 
> > > Okay, true, but it was more of a feasability question, "if you can get the
> > > string, is it possible to use the following method to decrypt it??"
> > 
> > Sure ... the login program has to decrypt it, doesn't it? You can
> > cut/paste passwd entries between linux systems ... the encrypted password
> > is not system-specific.
> 
> No, it's not reversable. There is no way to get the original password from
> the data in the shadow password file.
> 
> Login simply takes the password the user enters, encrypts it using crypt(), 
> and compares it with that's in the password file. No decryption is done.

Actually a one way hash is used, not encryption.  This is why it is not
possible to decrypt it -- it quite simply is not encrypted in the first
place.

- - Kyle

Kyle Amon email: [EMAIL PROTECTED]
Unix Systems Administratorphone: (203) 486-3290
Security Specialist   pager: 1-800-759- PIN 1616512
IBM Global Services  or [EMAIL PROTECTED]
  email: [EMAIL PROTECTED]
  url:   http://www.gnutec.com/kyle
KeyID 1024/26DD13D9
Fingerprint = 7D 86 D1 AE 4B E9 91 6A  4B BC B5 B4 12 F0 D3 1A

"GNU does not eliminate all the world's problems, only some of them." 

- Richard Stallman
  The GNU Manifesto, 1985

-BEGIN PGP SIGNATURE-
Version: 2.6.3ia
Charset: noconv

iQCVAgUBNdrVzMTIuZsm3RPZAQE0agQAuAbthdwpDnUPMxrS1ioBWy1W78sXcaL0
Due3wZsa0Z6n/NuutSIf8QAFGxN2RLm1xhd1tLg0W4w/2XgTnkInyNB+eU4M7mGz
3czIfxjcSKm+YGBwzinOtlnm5vCWapqNKTfd4KM9tl3tSN85sPeKdGp0/ntMMrlu
Sq3wUr4hcU0=
=sa00
-END PGP SIGNATURE-

Re: Linux and Security

1998-08-19 Thread Michael Beattie 
On 19 Aug 1998, Manoj Srivastava wrote:

> Hi,
> >>"Michael" == Michael Beattie <[EMAIL PROTECTED]> writes:
> 
>  Michael> After thinking about the crypt function, salts, etc... would
>  Michael> it not be possible to do this:
> 
>  Michael> 1) obtain the source for the crypt function.
>  Michael> 2) obtain by whatever method, the hashed/encrypted/whatever
>  Michael>password from /etc/shadow.
> 
>   That means you are root on the machine.

It was more of a "by whatever means possible" scenario.

 
>  Michael> 3) reverse the technique in the crypt function, then apply
>  Michael>that to the string obtained from /etc/shadow using salt #1
> 
>   Yup. You shall then have accomplished something that noone
>  else has, so far. You probably shall then command large salaries as
>  several corporations and government agencies vie for you talents ;-) 

Great :) -->  <-

>  Michael> 4) repeat step 3 for each of the 4096 (??) salts.
> 
>   Why? You already know what the salt is, if you have read
>  /etc/shadow. And if you can reverse crypt; you have the password. 

Ooops.. forgot the salt is right under yer nose.

>  Michael> would that leave you with 4096 possible passwords to try at
>  Michael> login? maybe use a telnet script of some kind somehow?
> 
>   Does your telent allow you to keep trying passwords ad
>  infinitum? Does it not close connections after a fixed number of
>  attempts? 

um, reconnect maybe? yeah, I know, my box is set to 5 attempts.. or is it
3? heh.. cant remember.
 


   Michael Beattie ([EMAIL PROTECTED])

   PGP Key available, reply with "pgpkey" as subject.
 -
 WinErr: 003 Dynamic linking error - Your mistake is now in every file
 -
Debian GNU/Linux  Ooohh You are missing out!

Re: Linux and Security

1998-08-19 Thread Manoj Srivastava 
Hi,
>>"Michael" == Michael Beattie <[EMAIL PROTECTED]> writes:

 Michael> After thinking about the crypt function, salts, etc... would
 Michael> it not be possible to do this:

 Michael> 1) obtain the source for the crypt function.
 Michael> 2) obtain by whatever method, the hashed/encrypted/whatever
 Michael>password from /etc/shadow.

That means you are root on the machine.

 Michael> 3) reverse the technique in the crypt function, then apply
 Michael>that to the string obtained from /etc/shadow using salt #1

Yup. You shall then have accomplished something that noone
 else has, so far. You probably shall then command large salaries as
 several corporations and government agencies vie for you talents ;-) 

 Michael> 4) repeat step 3 for each of the 4096 (??) salts.

Why? You already know what the salt is, if you have read
 /etc/shadow. And if you can reverse crypt; you have the password. 

 Michael> would that leave you with 4096 possible passwords to try at
 Michael> login? maybe use a telnet script of some kind somehow?

Does your telent allow you to keep trying passwords ad
 infinitum? Does it not close connections after a fixed number of
 attempts? 

manoj
-- 
 Practice is the best of all instructors. Publilius
Manoj Srivastava  <[EMAIL PROTECTED]> 
Key C7261095 fingerprint = CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E

Re: Linux and Security

1998-08-19 Thread Joey Hess 
George Bonser wrote:
> On Wed, 19 Aug 1998, Michael Beattie wrote:
> 
> > Okay, true, but it was more of a feasability question, "if you can get the
> > string, is it possible to use the following method to decrypt it??"
> 
> Sure ... the login program has to decrypt it, doesn't it? You can
> cut/paste passwd entries between linux systems ... the encrypted password
> is not system-specific.

No, it's not reversable. There is no way to get the original password from
the data in the shadow password file.

Login simply takes the password the user enters, encrypts it using crypt(), 
and compares it with that's in the password file. No decryption is done.

-- 
see shy jo

Re: Linux and Security

1998-08-19 Thread Michael Beattie 
On Tue, 18 Aug 1998, George Bonser wrote:

> On Wed, 19 Aug 1998, Michael Beattie wrote:
> 
> > 2) obtain by whatever method, the hashed/encrypted/whatever password from
> > /etc/shadow.
> > 
> 
> Stop right there. Since /etc/shadow is readable only by root, if you can
> access the file, you must be root  right? If you are root, you do not
> NEED a password to access a user's account. You can just become that user.
> You can also create your own user accounts. You can also change the root
> and user passwords or delete the passwords.
> 
> In other words ... the whole point is to protect root and keep /etc/shadow
> readable only by root. If you can read the shadow file, you don't need it.

Okay, true, but it was more of a feasability question, "if you can get the
string, is it possible to use the following method to decrypt it??"


   Michael Beattie ([EMAIL PROTECTED])

   PGP Key available, reply with "pgpkey" as subject.
 -
There is no snooze button on a cat who wants breakfast.
 -
Debian GNU/Linux  Ooohh You are missing out!

Re: Linux and Security

1998-08-19 Thread Michael Beattie 

After thinking about the crypt function, salts, etc... would it not be
possible to do this:

1) obtain the source for the crypt function.

2) obtain by whatever method, the hashed/encrypted/whatever password from
/etc/shadow.

3) reverse the technique in the crypt function, then apply that to the
string obtained from /etc/shadow using salt #1

4) repeat step 3 for each of the 4096 (??) salts.

would that leave you with 4096 possible passwords to try at login? maybe
use a telnet script of some kind somehow?

The above is only an Idea I thought of on the toilet (of all places..
sheesh). would it work?


   Michael Beattie ([EMAIL PROTECTED])

   PGP Key available, reply with "pgpkey" as subject.
 -
Bother! said Pooh, as the Klingons opened fire.
 -
Debian GNU/Linux  Ooohh You are missing out!