Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Debian, Red Hat, Slackware, Fedora, Ubuntu
Posts: 13,600
Rep:
"Linux" doesn't encrypt its passwd's with a certain algorithm - it's a distro by distro choice. As I said MOST newer distro's use MD5. What distro are you using? From the sounds of it you are probably using MD5. Do the passwords start with '$1$'? If so they are MD5.
yes, password starts with $1$. then there's 8 chars salt and then a $ separator and then remaining 22 bytes.
If it's MD5, then how can it be 34 bytes long like this.
As acccording to MD5 rfc, it generates an output of 128-bit always.
Sorry but, what do you exactly mean by distro? Do you mean the distributor by this?
Then i am using Red Hat 7.1
I know this is like an extremely old post (I just like to take my time OK!), however, I spent hours looking for a way to do this. I use NSS Switch to control my domains. So I needed a way for my users to change their passwords themselves, without actually having to SSH into the server and use passwd.
The best way to obtain the result (in MySQL anyway) is to select the user and their password field, build the result in PHP.
You could modify this to grab the password using fgets() or something similar, but my example uses mysql strings, because its far faster at pulling user passwords and a lot less work.
To explain what this does: -
1. $new => once you have the password you want split it into an array
2. $existingPattern=> We only want the encryption type (in this case MD5 (.. or $1$)) and the Salt (... or $SALTGOESHERE$)the last part is the encrypted password, which, lets face it, we'll never decrypt.
3. use the PHP script in a url to print the new crypted password using the pattern type and your new password.
* NOTE: always use single quotes (') otherwise PHP will think that you're referring to system variables because of the dollar sign ($).
Then you can use something like get_url in Java to read the output of the script from a URL. Don't forget to htpasswd protect the URL or use session management or something similar. You could also write the output into a JSON or XML using PHP, for use in your application. I can't go into too much detail about how you would secure this between a Java Applet/Application and the URL, as I use pure PHP to interact with my user database in Unix, and as the scripts and server are on the localhost I don't need to echo out anything.
Wooggle, welcome to LQ. I am glad to see that you were able to find information of value in the archives and want to thank you for providing new insights and suggestions.
I would, however, like to recommend that in the future to please start a new thread instead of appending to an old one, even though old threads are not typically closed off. As you noticed, this one is particularly old and necro-posting is generally discouraged in the forums. If you would like to reference the original content, the best way to do so would be to place a link to it in your post.
you can use this link for Encrypt and Decrypt MD5 Password-
Quote:
Originally Posted by Noway2
Wooggle, welcome to LQ. I am glad to see that you were able to find information of value in the archives and want to thank you for providing new insights and suggestions.
I would, however, like to recommend that in the future to please start a new thread instead of appending to an old one, even though old threads are not typically closed off. As you noticed, this one is particularly old and necro-posting is generally discouraged in the forums. If you would like to reference the original content, the best way to do so would be to place a link to it in your post.
Actually, in this case, I did find the complete thread to be useful. But, having said that, it is often even more useful to start a new thread which cites one or more other articles from the same or different forums. Now, you can very easily summarize the latest information from everywhere.
The problem with "opening an old thread," of course, is that the information might well be stale, but who really stops to look at the posting-dates for what now appears to be a "new" thread? Not many. Not me. Hence, creating a new thread with citations: the thread is "new or recent," as users typically expect it to be; the citations are understood to be older.
In closing: one thing that isn't mentioned at all in the thread is that, in my experience, most "shops" of any size have long-ago switched their authentication practices to the use of a common authority, i.e. LDAP (nee OpenDirectory), or Kerberos. Both of which are well-supported in Linux thanks to the magic of PAM = Pluggable Authentication Modules. If you want people to have common passwords, or you want a consistent, enterprise-wide way of managing both authentication and authorization, without going absolutely insane, "thais is how." It generally obviates the need for the technique shown in this thread ... replacing it with something much better. Every OS, and every web-server that I know of, supports this strategy.
Last edited by sundialsvcs; 07-06-2012 at 08:51 AM.
Actually, in this case, I did find the complete thread to be useful. But, having said that, it is often even more useful to start a new thread which cites one or more other articles from the same or different forums. Now, you can very easily summarize the latest information from everywhere.
The problem with "opening an old thread," of course, is that the information might well be stale, but who really stops to look at the posting-dates for what now appears to be a "new" thread? Not many. Not me. Hence, creating a new thread with citations: the thread is "new or recent," as users typically expect it to be; the citations are understood to be older.
In closing: one thing that isn't mentioned at all in the thread is that, in my experience, most "shops" of any size have long-ago switched their authentication practices to the use of a common authority, i.e. LDAP (nee OpenDirectory), or Kerberos. Both of which are well-supported in Linux thanks to the magic of PAM = Pluggable Authentication Modules. If you want people to have common passwords, or you want a consistent, enterprise-wide way of managing both authentication and authorization, without going absolutely insane, "thais is how." It generally obviates the need for the technique shown in this thread ... replacing it with something much better. Every OS, and every web-server that I know of, supports this strategy.
To know what exactly the distro is using encryption.
check this file.
cat /etc/login.defs
in Red Hat it is MD5
in Ubuntu SHA512
In suse blowfish.
You can change the bydefault encryption method also in your system.
I have taken a section /etc/login.defs from my ubuntu.
I hope it will give you clear picture
It is in below quote
Quote:
# If set to "yes", new passwords will be encrypted using the MD5-based
# algorithm compatible with the one used by recent releases of FreeBSD.
# It supports passwords of unlimited length and longer salt strings.
# Set to "no" if you need to copy encrypted passwords to other systems
# which don't understand the new algorithm. Default is "no".
#
# This variable is deprecated. You should use ENCRYPT_METHOD.
# #MD5_CRYPT_ENAB no
#
# If set to MD5 , MD5-based algorithm will be used for encrypting password
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
# If set to SHA512, SHA512-based algorithm will be used for encrypting password
# If set to DES, DES-based algorithm will be used for encrypting password (default)
# Overrides the MD5_CRYPT_ENAB option
#
# Note: It is recommended to use a value consistent with
# the PAM modules configuration.
#
ENCRYPT_METHOD SHA512
You can certainly call the SHAXXXsum etc algos directly.
Just FYI though looking at my Centos6 box, it looks like default is SHA512; MD5 was default for RHEL5.
Just checked a RHEL6 box: SHA512 again
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.