[ale] crypt? passwd? faulty package?

attriel attriel at d20boards.net
Thu Oct 17 14:42:16 EDT 2002



> This has always confused me about crypt(). What is the correct
> value for the salt? Doesn't the user have to agree with the
> OS (or whatever software is going to verify the encrypted
> password) about the salt value, in order for passwords to be verified
> properly? If so, how do you find out what the proper salt
> value is? If not, how the heck does this work? (I understand
> that the purpose of the salt is to introduce some additional
> randomness into the encrypted password, I just don't
> understand how I'm supposed to choose an appropriate value.)

There is no "right value" for the salt.

Since crypt() is one-way, there must be some repeatable encryption key to
be able to use to turn "passwd" into "ssi.eqxOCKoMQ", every time "attriel"
types it in for their passwd.  The salt is just that extra repeatable bit.
 It's prepended to the encrypted version (in this case "ss") and then when
the user logs in, it takes their username (attriel) and finds that entry
in /etc/passwd or /etc/shadow or whatever, takes what they typed for a
password, grabs the salt from /etc/whatever, runs crypt("passwd", "ss")
and (unless something went horribly wrong) gets "ssi.eqxOCKoMQ", which it
then compares to itself and gets "ssi.eqxOCKoMQ" succesfully.

If "ss" weren't part of the encrypted string, then it'd have to be
somewhere else (i think someone tried a /etc/salts directory, keyed by
username storing the salt and decided shadow was better for protecting the
encrypted values).

That's how things like Crack (has that been updated in like the last 5
years at all?) work -- they grab all the salts from /etc/passwd and use
each salt on the big dictionary :/ /etc/shadow made it harder, b/c now the
user can't read the passwords anymore at least.

But it doesn't really matter what salt you use (the script I have takes
characters 3 and 4 from what you type; it's just something arbitrary :) 
But the user never knows what their salt is (and it changes everytime they
change their password).  It's all internal bookkeeping

--attriel



---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list