LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-10-2007, 03:28 PM   #1
whysyn
Member
 
Registered: Jun 2003
Location: Cleveburg, OH
Distribution: mostly Fedora
Posts: 154

Rep: Reputation: 30
difference between md5 shadow and md5 elsewhere?


Hello,

I'm trying to import a bunch of users that are stored in a database to have system accounts for email.

The database hashes passwords with the md5() function, and according to authconfig, the shadow file is set for md5 as well, but when I look at a user in the DB that already matches a system account, the password fields look completely different:
Code:
5f4dcc3b5aa765d61d8327deb882cf99 (database with md5() function)
$1$d84L.BLI$eBOrWgfHw8L0e3U2gSPxj/ (same password from /etc/shadow)
Is there any way I can convert these?

Thanks!
 
Old 12-10-2007, 04:08 PM   #2
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 677Reputation: 677Reputation: 677Reputation: 677Reputation: 677Reputation: 677
From man (3) crypt:

Quote:
NOTES
Glibc Notes
The glibc2 version of this function has the following additional features. If salt is a character string starting with the
three characters "$1$" followed by at most eight characters, and optionally terminated by "$", then instead of using the DES
machine, the glibc crypt function uses an MD5-based algorithm, and outputs up to 34 bytes, namely "$1$<salt>$<encoded>",
where "<salt>" stands for the up to 8 characters following "$1$" in the salt, and "<encoded>" is a further 22 characters.
The characters in "<salt>" and "<encoded>" are drawn from the set [a–zA–Z0–9./]. The entire key is significant here (instead
of only the first 8 bytes).
 
Old 12-10-2007, 04:56 PM   #3
whysyn
Member
 
Registered: Jun 2003
Location: Cleveburg, OH
Distribution: mostly Fedora
Posts: 154

Original Poster
Rep: Reputation: 30
I've now gone and read crypt(3), shadow(5), and passwd(5), along with the pointer you've provided and am still unsure if it is even possible to convert, let alone how.

Could you provide any more pointers?
 
Old 12-10-2007, 07:58 PM   #4
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 677Reputation: 677Reputation: 677Reputation: 677Reputation: 677Reputation: 677
They are hashes so you can't convert from one to another. The shadow passwords used salt and the entries in the database don't. The $1$ indicates that md5sum was used. The $d84L.BLI$ indicates that the salt used was 'd84L.BLI'. The rest is the md5sum produced. The two systems use different output characters as well. I'm not sure what program produces the encoding for binary or hexadecimal to the '0-9a-zA-Z./' character set used. ( other than the lcrypt(3) library )
Looking at openssl for example, I could use something like:
openssl dgst -md5 -binary <(echo -n $password) | openssl enc -base64
But the base64 is the wrong encoding, and openssl dgst doesn't take a salt input.

What type of accounts do these users have presently? The passwords for accessing a database may be different from the passwords for accessing a normal account. If these are for samba or AD passwords, consider using one of those as the authentication source for the email server.

For Fedora Core at least, there are 3 books supplied with the samba rpm package that might help. Samba3-ByExample, Samba3-HOWTO, and UsingSamba. The first two are the same as you can find in the book store. The third is an earlier edition. The one in the book store may have more Samba3/Active Directory information. The chapters on PAM might be useful. Also, look in your RedHat documentation on how to change the authentication source. You may be able to do it from either the "users" configuration or "security".

If the database you have these passwords in is used for a Samba password backend, there probably is a way to use it as the authentication source, and you can probably do it from one of the system-config-* modules.

You would probably want to do this anyway for when users change their passwords.

---

If these passwords are from an ldap server, look at the pwdutils package.

---

I'm not positive from your last post, whether you have a list of passwords/encrypted passwords or if you just tested your own password against both password examples. I assumed the latter.

Last edited by jschiwal; 12-10-2007 at 08:39 PM.
 
Old 12-10-2007, 08:13 PM   #5
OlRoy
Member
 
Registered: Dec 2002
Posts: 304

Rep: Reputation: 86
Just so you know, the reason *nix passwords are salted is to prevent people from pre-computing the hashes and creating rainbow tables.
 
Old 12-11-2007, 11:11 AM   #6
whysyn
Member
 
Registered: Jun 2003
Location: Cleveburg, OH
Distribution: mostly Fedora
Posts: 154

Original Poster
Rep: Reputation: 30
That makes sense, thanks for the clarification.

What I have is an integrated website I run for a gaming clan. Users have a profile page, forum account, and TeamSpeak account that all use the same password. Those are all stored as md5 hashes in mysql. This allows single sign-on between the forum/profiles, and allows central password management (reseting in profile updates TeamSpeak and forums automatically).

I've added email to the things I do for the clan, and was hoping to keep the email passwords matched as well. I guess at this point I can try getting qmail to authenticate users against the DB table instead of system accounts.

I already have hooks in the code to update system account passwords when they do it on their profile page, so I could stick with that and just tell the users they must update their profile password to get their email working. Problem is there are 360+ users...

Thanks again for the info and your patience.

--

The hashes I posted in my example are from testing, both = "password." All I have in hand is md5() hashes, if I knew all of the plaintext passwords I'd have a lot easier time, but then, where's my security =)

Last edited by whysyn; 12-11-2007 at 11:14 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Md5 hlinux Fedora 2 06-28-2005 11:21 PM
what is MD5... JT13 Linux - General 2 06-11-2005 07:31 PM
md5 RDove Programming 3 03-07-2005 11:22 AM
using iso.md5 and iso.md5.asc Tyir Linux - Newbie 3 07-11-2004 12:45 AM
Md5 LinuxSeeker Linux - General 4 03-15-2004 06:01 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:40 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration