Re: Linux crypt(3)
Thank you for all the replies! On Sat, 17 Oct 2015, Devin Reade wrote: > As you're looking into solutions, make sure you're looking at the right > problem. Your text sounds like you're migrating system account passwords, I'm not. These are passwords for the news server. Users are authenticated using ckpasswd, which uses crypt(). On Sat, 17 Oct 2015, Adam Wolk wrote: > Don't know if it works out for you but you could generate ssh keys for > existing accounts and allow users to access the new system using that > provided ssh key & set the passwords themselves (or just keep using key > auth and disabling passwords :)). I don't want to force users to do anything, I want this change to be transparent to them... -- "qui hic minxerit aut cacaverit, habeat deos superos et inferos iratos"
Re: Linux crypt(3)
Could you modify the existing linux system to also output a suitable bcrypt hash for their password the next time they log in. Leave that running for a while, and then migrate? This way most active users will have their password migrated for them. The remainder can probably afford to reset their password since they're not using the system very often. On Mon, Oct 19, 2015 at 7:38 AM, Adam Wysockiwrote: > Thank you for all the replies! > > On Sat, 17 Oct 2015, Devin Reade wrote: > >> As you're looking into solutions, make sure you're looking at the right >> problem. Your text sounds like you're migrating system account passwords, > > I'm not. These are passwords for the news server. Users are authenticated > using ckpasswd, which uses crypt(). > > On Sat, 17 Oct 2015, Adam Wolk wrote: > >> Don't know if it works out for you but you could generate ssh keys for >> existing accounts and allow users to access the new system using that >> provided ssh key & set the passwords themselves (or just keep using key >> auth and disabling passwords :)). > > I don't want to force users to do anything, I want this change to be > transparent to them... > > -- > "qui hic minxerit aut cacaverit, habeat deos superos et inferos iratos"
Re: Linux crypt(3)
On Mon, 19 Oct 2015, Adam Van Ymeren wrote: > Could you modify the existing linux system to also output a suitable > bcrypt hash for their password the next time they log in. Yes, that's the great idea. It didn't cross my mind before. Thank you! -- "qui hic minxerit aut cacaverit, habeat deos superos et inferos iratos"
Re: Linux crypt(3)
Adam Wysocki wrote: > As OpenBSD crypt() function differs from the one in Linux libc and returns > NULL for setting "Mb", before I start porting it from libc, maybe you have > an easier solution? Maybe there is a library I can use (different than > whole bloated Linux libc)? run john the ripper to crack all their passwords, then create bcrypt hashes for them? i'm only half kidding. des crypt should have been retired ages ago.
Re: Linux crypt(3)
On 2015-10-17, Ted Unangstwrote: > Adam Wysocki wrote: >> As OpenBSD crypt() function differs from the one in Linux libc and returns >> NULL for setting "Mb", before I start porting it from libc, maybe you have >> an easier solution? Maybe there is a library I can use (different than >> whole bloated Linux libc)? > > run john the ripper to crack all their passwords, then create bcrypt hashes > for them? i'm only half kidding. des crypt should have been retired ages ago. They can't be more than 8 chars so even if you have to brute-force them it shouldn't take that long. Only problem is that you can't be sure you got the original password, it might be something else that produces the same crypted value. Still, it's fairly likely that they will be obvious (at least they have been when I've used this method).
Linux crypt(3)
Hi misc, I'm migrating one of my servers from Linux to OpenBSD and I need a method to authenticate users based on passwords treated with Linux crypt() function. Passwords are encrypted with salted DES, without glibc2 extensions. For example: $ htpasswd -nbd test test test:MbfD9Vq5SL5aE Where "Mb" is a random salt and the rest is encrypted password. As OpenBSD crypt() function differs from the one in Linux libc and returns NULL for setting "Mb", before I start porting it from libc, maybe you have an easier solution? Maybe there is a library I can use (different than whole bloated Linux libc)? Kind regards. -- "qui hic minxerit aut cacaverit, habeat deos superos et inferos iratos"
Re: Linux crypt(3)
On Sat, 17 Oct 2015 12:31:59 +0200 (CEST) Adam Wysockiwrote: > Hi misc, > > I'm migrating one of my servers from Linux to OpenBSD and I need a > method to authenticate users based on passwords treated with Linux > crypt() function. Passwords are encrypted with salted DES, without > glibc2 extensions. For example: > > $ htpasswd -nbd test test > test:MbfD9Vq5SL5aE > > Where "Mb" is a random salt and the rest is encrypted password. > > As OpenBSD crypt() function differs from the one in Linux libc and > returns NULL for setting "Mb", before I start porting it from libc, > maybe you have an easier solution? Maybe there is a library I can use > (different than whole bloated Linux libc)? > > Kind regards. > Don't know if it works out for you but you could generate ssh keys for existing accounts and allow users to access the new system using that provided ssh key & set the passwords themselves (or just keep using key auth and disabling passwords :)).
Re: Linux crypt(3)
> On 2015-10-17, Ted Unangstwrote: > > Adam Wysocki wrote: > >> As OpenBSD crypt() function differs from the one in Linux libc and returns > >> NULL for setting "Mb", before I start porting it from libc, maybe you have > >> an easier solution? Maybe there is a library I can use (different than > >> whole bloated Linux libc)? > > > > run john the ripper to crack all their passwords, then create bcrypt hashes > > for them? i'm only half kidding. des crypt should have been retired ages > > ago. > > They can't be more than 8 chars so even if you have to brute-force them > it shouldn't take that long. Only problem is that you can't be sure you > got the original password, it might be something else that produces the > same crypted value. Still, it's fairly likely that they will be obvious > (at least they have been when I've used this method). those old hashes are so wimpy and unsafe, you could go do this job on just about any cloud infrastructure. it is not like you are adding much additional risk. such unsafe hashes can only be used in strongly isolated networks. in which case, you could post them to the mailing list, lots of people here have extra compute cycles. ok, now the joke has gone too far. or is the real joke DES in 2015?
Re: Linux crypt(3)
> On Oct 17, 2015, at 04:31, Adam Wysockiwrote: > > Hi misc, > > I'm migrating one of my servers from Linux to OpenBSD and I need a method > to authenticate users based on passwords treated with Linux crypt() > function. Passwords are encrypted with salted DES, without glibc2 > extensions. For example: > > $ htpasswd -nbd test test > test:MbfD9Vq5SL5aE As you're looking into solutions, make sure you're looking at the right problem. Your text sounds like you're migrating system account passwords, but htpasswd is usually used for web server credentials. I've not seen a Linux system use traditional crypt in quite a few years; they're usually salted MD5 hashes. Devin