Re: Linux crypt(3)

2015-10-19 Thread Adam Wysocki 
Thank you for all the replies!

On Sat, 17 Oct 2015, Devin Reade wrote:

> As you're looking into solutions, make sure you're looking at the right
> problem. Your text sounds like you're migrating system account passwords,

I'm not. These are passwords for the news server. Users are authenticated 
using ckpasswd, which uses crypt().

On Sat, 17 Oct 2015, Adam Wolk wrote:

> Don't know if it works out for you but you could generate ssh keys for
> existing accounts and allow users to access the new system using that
> provided ssh key & set the passwords themselves (or just keep using key
> auth and disabling passwords :)).

I don't want to force users to do anything, I want this change to be 
transparent to them...

-- 
"qui hic minxerit aut cacaverit, habeat deos superos et inferos iratos"

Re: Linux crypt(3)

2015-10-19 Thread Adam Van Ymeren 
Could you modify the existing linux system to also output a suitable
bcrypt hash for their password the next time they log in.

Leave that running for a while, and then migrate?  This way most
active users will have their password migrated for them.  The
remainder can probably afford to reset their password since they're
not using the system very often.

On Mon, Oct 19, 2015 at 7:38 AM, Adam Wysocki  wrote:
> Thank you for all the replies!
>
> On Sat, 17 Oct 2015, Devin Reade wrote:
>
>> As you're looking into solutions, make sure you're looking at the right
>> problem. Your text sounds like you're migrating system account passwords,
>
> I'm not. These are passwords for the news server. Users are authenticated
> using ckpasswd, which uses crypt().
>
> On Sat, 17 Oct 2015, Adam Wolk wrote:
>
>> Don't know if it works out for you but you could generate ssh keys for
>> existing accounts and allow users to access the new system using that
>> provided ssh key & set the passwords themselves (or just keep using key
>> auth and disabling passwords :)).
>
> I don't want to force users to do anything, I want this change to be
> transparent to them...
>
> --
> "qui hic minxerit aut cacaverit, habeat deos superos et inferos iratos"

Re: Linux crypt(3)

2015-10-19 Thread Adam Wysocki 
On Mon, 19 Oct 2015, Adam Van Ymeren wrote:

> Could you modify the existing linux system to also output a suitable
> bcrypt hash for their password the next time they log in.

Yes, that's the great idea. It didn't cross my mind before. Thank you!

-- 
"qui hic minxerit aut cacaverit, habeat deos superos et inferos iratos"

Re: Linux crypt(3)

2015-10-17 Thread Ted Unangst 
Adam Wysocki wrote:
> As OpenBSD crypt() function differs from the one in Linux libc and returns 
> NULL for setting "Mb", before I start porting it from libc, maybe you have 
> an easier solution? Maybe there is a library I can use (different than 
> whole bloated Linux libc)?

run john the ripper to crack all their passwords, then create bcrypt hashes
for them? i'm only half kidding. des crypt should have been retired ages ago.

Re: Linux crypt(3)

2015-10-17 Thread Stuart Henderson 
On 2015-10-17, Ted Unangst  wrote:
> Adam Wysocki wrote:
>> As OpenBSD crypt() function differs from the one in Linux libc and returns 
>> NULL for setting "Mb", before I start porting it from libc, maybe you have 
>> an easier solution? Maybe there is a library I can use (different than 
>> whole bloated Linux libc)?
>
> run john the ripper to crack all their passwords, then create bcrypt hashes
> for them? i'm only half kidding. des crypt should have been retired ages ago.

They can't be more than 8 chars so even if you have to brute-force them
it shouldn't take that long. Only problem is that you can't be sure you
got the original password, it might be something else that produces the
same crypted value. Still, it's fairly likely that they will be obvious
(at least they have been when I've used this method).

Linux crypt(3)

2015-10-17 Thread Adam Wysocki 
Hi misc,

I'm migrating one of my servers from Linux to OpenBSD and I need a method 
to authenticate users based on passwords treated with Linux crypt() 
function. Passwords are encrypted with salted DES, without glibc2 
extensions. For example:

$ htpasswd -nbd test test
test:MbfD9Vq5SL5aE

Where "Mb" is a random salt and the rest is encrypted password.

As OpenBSD crypt() function differs from the one in Linux libc and returns 
NULL for setting "Mb", before I start porting it from libc, maybe you have 
an easier solution? Maybe there is a library I can use (different than 
whole bloated Linux libc)?

Kind regards.

-- 
"qui hic minxerit aut cacaverit, habeat deos superos et inferos iratos"

Re: Linux crypt(3)

2015-10-17 Thread Adam Wolk 
On Sat, 17 Oct 2015 12:31:59 +0200 (CEST)
Adam Wysocki  wrote:

> Hi misc,
> 
> I'm migrating one of my servers from Linux to OpenBSD and I need a
> method to authenticate users based on passwords treated with Linux
> crypt() function. Passwords are encrypted with salted DES, without
> glibc2 extensions. For example:
> 
> $ htpasswd -nbd test test
> test:MbfD9Vq5SL5aE
> 
> Where "Mb" is a random salt and the rest is encrypted password.
> 
> As OpenBSD crypt() function differs from the one in Linux libc and
> returns NULL for setting "Mb", before I start porting it from libc,
> maybe you have an easier solution? Maybe there is a library I can use
> (different than whole bloated Linux libc)?
> 
> Kind regards.
> 

Don't know if it works out for you but you could generate ssh keys for
existing accounts and allow users to access the new system using that
provided ssh key & set the passwords themselves (or just keep using key
auth and disabling passwords :)).

Re: Linux crypt(3)

2015-10-17 Thread Theo de Raadt 
> On 2015-10-17, Ted Unangst  wrote:
> > Adam Wysocki wrote:
> >> As OpenBSD crypt() function differs from the one in Linux libc and returns 
> >> NULL for setting "Mb", before I start porting it from libc, maybe you have 
> >> an easier solution? Maybe there is a library I can use (different than 
> >> whole bloated Linux libc)?
> >
> > run john the ripper to crack all their passwords, then create bcrypt hashes
> > for them? i'm only half kidding. des crypt should have been retired ages 
> > ago.
> 
> They can't be more than 8 chars so even if you have to brute-force them
> it shouldn't take that long. Only problem is that you can't be sure you
> got the original password, it might be something else that produces the
> same crypted value. Still, it's fairly likely that they will be obvious
> (at least they have been when I've used this method).

those old hashes are so wimpy and unsafe, you could go do this job on
just about any cloud infrastructure.  it is not like you are adding much
additional risk.

such unsafe hashes can only be used in strongly isolated networks.

in which case, you could post them to the mailing list, lots of people
here have extra compute cycles.

ok, now the joke has gone too far.

or is the real joke DES in 2015?

Re: Linux crypt(3)

2015-10-17 Thread Devin Reade 
> On Oct 17, 2015, at 04:31, Adam Wysocki  wrote:
>
> Hi misc,
>
> I'm migrating one of my servers from Linux to OpenBSD and I need a method
> to authenticate users based on passwords treated with Linux crypt()
> function. Passwords are encrypted with salted DES, without glibc2
> extensions. For example:
>
> $ htpasswd -nbd test test
> test:MbfD9Vq5SL5aE

As you're looking into solutions, make sure you're looking at the right
problem. Your text sounds like you're migrating system account passwords, but
htpasswd is usually used for web server credentials. I've not seen a Linux
system use traditional crypt in quite a few years; they're usually salted MD5
hashes.

Devin