RE: Should I expect crypt to produce usable results?

Tue, 02 May 2000 11:39:31 -0700 

[EMAIL PROTECTED] wrote:

> Hi,
> 
> I'm trying to develop a tool for synchronising a remote OpenLDAP directory,
> using Net::LDAP, from data held on an OpenVMS system, using Perl. Along the
> way, as I create a new LDAP object I want to add a default Unix-style
> password to the "userPassword" attribute.
> 
> My first stab at this uses a routine which works fine on Unix:
> 
> sub Crypt {
>    my($word) = @_;
>    my($salt,$pwd);
> 
>    $salt = join '', ('.', '/', 0..9, 'A'..'Z','a'..'z')[rand 64, rand 64];
> 
>    $pwd = crypt($word,$salt);
> 
>    $pwd;
> }
> 
> However, the output generated doesn't seem to be valid. For instance, the
> VMS Perl routine generates (in hex):
> 
>       f9 dc 7d 4c b5 fa 8b b7
> 
> for a salt value of IH, whereas a Unix system generates:
> 
>       IHEpNxwbz7lFs
> 
> Is this one of those Unix-ish areas that hasn't been ported? Is it likely to
> be in the future?
> 
> I'm using Perl version 5.005_03.

An interesting question.  VMS Perl's crypt employs an algorithm that
is compatible with the one used by AUTHORIZE and is internally consistent
but not necessarily consistent with other crypt() implementations.

If, for example, I store a password generated by you're implementation
but with the addition of a fixed salt string for both Crypt() calls:

print "passwd: ";
my $pass;
chomp($pass = <STDIN>);
my $secret = Crypt($pass,"SA");
print "\nplease re-enter\npasswd: ";
my $repass;
chomp($repass = <STDIN>);
my $resecret = Crypt($repass,"SA");
if ($resecret eq $secret) {
    print "second password was equivalent\n";
}
else {
    print "second password was not equivalent\n";
}
sub Crypt {
    my($word,$salt) = @_;
    my($pwd);
    if (!$salt) {
        $salt = join '', ('.', '/', 0..9, 'A'..'Z','a'..'z')[rand 64, rand 64];
    }
    $pwd = crypt($word,$salt);
    $pwd;
}

Then I can verify that the second string gets crypted to the same value
if it is the same as the first string.

However, vms perl does not have an implementation of Solaris' crypt
library nor its crypt() libc function and comparing the resultant
perl crypt()ed strings across systems is not guarenteed to yield
useful results.

For network verification things such as kerberos are a bit more robust.
Kerberos services for VMS are available as part of the Multinet TCP/IP
product e.g.


Peter Prymmer

Reply via email to