[svlug] Shadow password fuzziness

Robert Hajime Lanning lanning at lanning.cc
Thu Jul 26 09:31:01 PDT 2001


The $1$ means it is MD5 hash of the password.

This is out of the blue, but try {md5}$1$...

It looks like {crypt}... would probably be the unix crypt() string.
Which is 13 characters.

---- As written by Todd Lyons:
> 
> I sent this to a local list here in LA, so if this is a dupe, I
> apologize.
> 
> <breathe>
> 
> Some of you may have heard me talking/asking about this, sorry to bug
> you.  But I will restate the entire case, what I've done, and where I'm at.
> 
> I'm tasked with converting a system running Sendmail/UWImap that's
> authenticating against NIS to a system running qmail/CourierImap that's
> authenticating against LDAP in a 100% pure virtual environment.  Walk in
> the park, right?  Let's go over what I've done so far.
> 
> 1) The current NIS replication system is a hack.  The passwd, shadow,
> group, and gshadow files are scp'd from the main machine that the
> sysadmins do user administration.  It will continue this way for the
> forseeable future.  As a result, the method of replication to the
> LDAP machine will continue to be scp the files and custom scripts to
> detect new users, extract their account info, add them in to the 
> directory, and initialize their email usage.
> 2) Grab qmail 1.03, applied the qmail-ldap patch, compiled, installed,
> and configured.
> 3) Grab courier-imap, compiled, installed, and configured.
> 4) Install OpenLDAP 2.x.  Configured.
> 5) Temporarily rsync existing users' mbox style email to qmail machine
> once a day (for testing purposes).  (It's all behind a NAT firewall, so 
> I've not dabbled with ssl yet.)
> 6) Write a script to import all info from passwd and shadow, make
> virtual maildirectories, convert from mbox to maildir style, and import
> all user info into the directory.
> 
> Well the problem is one small portion of the "and import all user info".
> The problem is the damn password.
> 
> On a system where the users are being added as new, I've got cgi that
> passes the appropriate info to ldapadd and ldappasswd to populate the
> directory and set the password.  That's not what I have here though.  
> I don't have the plain text passwords, and have no way to get them.  The
> only thing that I have is the shadow password file.
> 
> I was advised that I could simply grab the shadow encrypted password and
> slap {crypt} on the front of it and it would work, like this:
> userPassword: {crypt}$1$vrlHRV3Q$GtXdvNvSSJs2ta2yw3CaP/
> 
> It imports just fine, but when attempting to authenticate, it fails.  If
> I manually set the password with ldappasswd, then it authenticates
> properly.  Additional comment: I'm using ldap's own tools for testing
> authentication, not the qmail or courier system for testing
> authentication.
> 
> Doing a little bit of experimenting with base64 decoding, I've found
> that ldappasswd is entering a value of {SSHA}<crypted_passwd>.  So I
> started using that (since it seemed a good baseline).  I then noticed 
> that the physical length of the values stored in the directory
> created from my {SSHA}<crypted_passwd> entries were a different
> length than the one created by the ldappasswd utility.  In the same
> breath, I also noticed that when I base64 decoded the patterns, none of
> them started with the $1$ that shadow password entries started with, so
> I stripped that off.  I finally started logging things:
> 
> Doesn't work (created from my perl script):
> userPassword:: e1NTSEF9JDEkamlENk1CVm8kWFJ0QzlUdUJvMTVENUNtSzZCUlloLw==
> userPassword:: e1NTSEF9amlENk1CVm8kWFJ0QzlUdUJvMTVENUNtSzZCUlloLw==
> Works (created by ldappasswd):
> userPassword:: e1NTSEF9RVpFaDNMUkc3VWx1Qkx0YWhhV0RJbVR1bmJ2UDNnOXo=
> userPassword:: e1NTSEF9ODBWREdPdDk0RE5RQ2ZtTFdCTG9ML3hBNGRPVmJjLys=
> 
> Each of these are the same password. (The double colon just means that
> it's base64 encoded).  The first entry is with a $1$ and the second is
> without.  Also note the difference in length (two == signs compared to
> one).
> 
> My needs are simple:
> 1) Ideally, "Todd, you're an idiot, you just have to do <insert series
> of steps>".
> 2) Realistically, I'm looking for URL's to tutorials, rfc's, any kind of
> guidance and tools that will help me to understand how shadow passwords
> are constructed and what I'm doing wrong.
> 3) Break it to me gently if it's not possible to do it only with shadow
> passwords (not having plaintext passwords).  Be very gentle.  I've been
> working on it for 2+ weeks now.
> 4) If you have or know of some "magic" scripts that do this, I would be
> most appreciative.  Everything I've found just sticks {crypt} in front
> of the password and was written in 1997 and for whatever reason, it
> doesn't work now. (I'm looking for that reason!)
> 
> Any and all help is appreciated.
> 
> -- 
> Blue skies...		Todd
> | Get a bigger hammer!   |  Are you feeling lucky...punk?         |
> | http://www.mrball.net  |  I've had better days...               |
> | http://faq.mrball.net  |  It's the end of the world as we know i|
> 
> _______________________________________________
> svlug mailing list
> svlug at lists.svlug.org
> http://lists.svlug.org/lists/listinfo/svlug
> 


-- 
/* Robert Hajime Lanning                             lanning at lanning.cc
** Trade: Unix Systems Administrator (Senior level) (SAGE IV)
*/
#include <std_disclaimer.h>




More information about the svlug mailing list