[lug] generating linux passwords using openssl

D. Stimits stimits at idcomm.com
Sun Apr 29 15:28:50 MDT 2001 

charles at lunarmedia.net wrote:
> 
> it would certainly seem that you are correct about the $1 being mistaken
> by the shell as a variable substition since:
> 
>         openssl passwd -apr1 -salt $1 charles
> 
> renders:
> 
>         $apr1$$$vAaBQkZPAcICTAYmnPq7o.
> 
> the "apr" in the passphrase kinda makes me wonder. however escaping the
> character in or out of quotes does not change the output.

The basic crypt() function (non-MD5) places a 2 character salt at the
start of the full encrypted string so it can be retrieved...I would
guess that MD5 simply  decided to place the salt between the $ at start
and the next $. I don't have any man pages on MD5 formats, but I'd be
interested if anyone does find something that gives a standardized MD5
string description (I'm thinking of using MD5 in a few different
applications, one being web session management similar to the PHP being
described here, only in C++).

D. Stimits, stimits at idcomm.com

> 
> this whole scenario comes out of the need to take a clear text password
> and encrypt it within a php script's md5() to verify a user against
> /etc/shadow for access to a webpage. so to get md5() to create an accurate
> hash to compare to /etc/shadow i need to figure out the salt.
> 
> On Sun, 29 Apr 2001, D. Stimits wrote:
> 
> > charles at lunarmedia.net wrote:
> > >
> > > i'm messing around with taking a plain text password and running
> > >
> > >         openssl passwd -salt <characters> <passphrase>
> > >
> > > to compare the outcome with entries in my /etc/shadow file. the output i
> > > am seeing from this command is very different from the output i see in
> > > /etc/shadow.
> > >
> > > for example, in /etc/shadow, i see:
> > >
> > >         test:$1$1pqC/5DL$d/xHPgKHEilQeSqcArGNP0
> > >
> > > test is a user whose passphrase is "charles"
> > >
> > > i think that the salt for this password is "$1$" (the first three
> > > characters, right?)
> > >
> > > when i run:
> > >
> > >         openssl passwd -salt $1$ charles
> >
> > Someone already mentioned shadow passwords are via MD5 while crypt is a
> > different function. But here is another possible wrench in the
> > machinery: The "$1" can be interpreted as a shell substitution, and it
> > might not be passing it literally. $1 might end up being substituted as
> > the first argument of the command or a shell environment variable (which
> > in turn is probably empty). See if your results change when quoting or
> > escaping the "$".
> >
> > >
> > > i get:
> > >
> > >         $AdaOyvpHrybM
> > >
> > > which is considerably different. the only options i see for encryption
> > > methods under openssl are -apr1 for md5 and -crypt which is the default
> > > and is standard unix encryption.
> > >
> > > why such a difference in the two hashes?
> >
> > I would assume that anything via crypt() will always differ from an MD5
> > version. But if your MD5 appears to encrypt differently, perhaps it is
> > the shell playing tricks on you with "$" substitutions.
> >
> > D. Stimits, stimits at idcomm.com
> >
> > >
> > > _______________________________________________
> > > Web Page:  http://lug.boulder.co.us
> > > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list