[lug] generating linux passwords using openssl

charles at lunarmedia.net charles at lunarmedia.net
Sun Apr 29 15:18:30 MDT 2001 

it would certainly seem that you are correct about the $1 being mistaken
by the shell as a variable substition since:

	openssl passwd -apr1 -salt $1 charles

renders:

	$apr1$$$vAaBQkZPAcICTAYmnPq7o.

the "apr" in the passphrase kinda makes me wonder. however escaping the
character in or out of quotes does not change the output.

this whole scenario comes out of the need to take a clear text password
and encrypt it within a php script's md5() to verify a user against
/etc/shadow for access to a webpage. so to get md5() to create an accurate
hash to compare to /etc/shadow i need to figure out the salt.



On Sun, 29 Apr 2001, D. Stimits wrote:

> charles at lunarmedia.net wrote:
> >
> > i'm messing around with taking a plain text password and running
> >
> >         openssl passwd -salt <characters> <passphrase>
> >
> > to compare the outcome with entries in my /etc/shadow file. the output i
> > am seeing from this command is very different from the output i see in
> > /etc/shadow.
> >
> > for example, in /etc/shadow, i see:
> >
> >         test:$1$1pqC/5DL$d/xHPgKHEilQeSqcArGNP0
> >
> > test is a user whose passphrase is "charles"
> >
> > i think that the salt for this password is "$1$" (the first three
> > characters, right?)
> >
> > when i run:
> >
> >         openssl passwd -salt $1$ charles
>
> Someone already mentioned shadow passwords are via MD5 while crypt is a
> different function. But here is another possible wrench in the
> machinery: The "$1" can be interpreted as a shell substitution, and it
> might not be passing it literally. $1 might end up being substituted as
> the first argument of the command or a shell environment variable (which
> in turn is probably empty). See if your results change when quoting or
> escaping the "$".
>
> >
> > i get:
> >
> >         $AdaOyvpHrybM
> >
> > which is considerably different. the only options i see for encryption
> > methods under openssl are -apr1 for md5 and -crypt which is the default
> > and is standard unix encryption.
> >
> > why such a difference in the two hashes?
>
> I would assume that anything via crypt() will always differ from an MD5
> version. But if your MD5 appears to encrypt differently, perhaps it is
> the shell playing tricks on you with "$" substitutions.
>
> D. Stimits, stimits at idcomm.com
>
> >
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>

More information about the LUG mailing list