Improving password security
J Greely
jgreely at wizard.cis.ohio-state.edu
Mon Nov 21 20:23:33 AEST 1988
In article <8724 at rpp386.Dallas.TX.US> jfh at rpp386.Dallas.TX.US writes:
>In article <27987 at tut.cis.ohio-state.edu> I write:
>>1. break the plaintext: trivial to do, if I can read libc.a on your
>> system.
>No, you can call setkey() from inside of login(1). Then the cracker
>has to be able to read login(1).
Uh, no. Maybe we're looking at different crypt sources (mine's
4.3 BSD), but setkey has nothing to do with the plaintext, which
is initialized to zeros in crypt right *after* the call to setkey.
The code basically does this:
convert input password to block
setkey(block)
screw with E-table
set block to plaintext (zeros)
encrypt(block) repeatedly
make it printable and spit it out
Calling setkey from login accomplishes nothing. Now, if you added
a function set_plaintext(), and called *that* from login, you'd have
a chance. But you still can't just change login. You have to change
everything else that needs to test passwords, *and* make sure they're
all unreadable. (wouldn't you feel silly if you forgot to relink
su?)
--
J Greely (jgreely at cis.ohio-state.edu; osu-cis!jgreely)
Unseen, in the background, Fate was quietly slipping the lead
into the boxing glove.
More information about the Comp.unix.wizards
mailing list