Is the encrypted password's salt simply random?
F. L. Charles Seeger III
seeger at thedon.cis.ufl.edu
Fri Mar 1 11:28:31 AEST 1991
In article <1991Feb27.202424.16444 at rigel.econ.uga.edu> glenn at rigel.econ.uga.edu (Glenn F. Leavell) summarizes:
|In article <1991Feb26.201846.22584 at rigel.econ.uga.edu> I recently wrote:
|>I'm using a randomly generated two-character salt from the set [a-zA-Z0-9./],
|>and everything seems to be working fine. Here's my question: is this
|>the right way to choose the salt - just a random thing?
Included as part of the summary:
| >The old BSD 4.3 "passwd" program uses
| > (void)time(&salt);
| > salt = 9 * getpid();
| > saltc[0] = salt & 077;
| > saltc[1] = (salt>>6) & 077;
| > for (i = 0; i < 2; i++) {
| > c = saltc[i] + '.';
| > if (c > '9')
| > c += 7;
| > if (c > 'Z')
| > c += 6;
| > saltc[i] = c;
| > }
| > return(crypt(pwbuf, saltc));
| >which is based on the time of day clock.
Note that the salt generated by this code does not depend on the time. The
assignment in the second line discards the result of the time() call. The
fix that I have seen suggest is to change the assignment operator from "="
to "+=". However, the UCB folks seem to have changed the code more
drastically.
static char sccsid[] = "@(#)passwd.c 4.42 (Berkeley) 6/19/90";
...
char *
getnewpasswd(pw, temp)
register struct passwd *pw;
char *temp;
{
register char *p, *t;
char buf[_PASSWORD_LEN+1], salt[2], *crypt(), *getpass();
...
/* grab a random printable character that isn't a colon */
(void)srandom((int)time((time_t *)NULL));
#ifdef NEWSALT
salt[0] = '_';
to64(&salt[1], (long)(29*25), 4);
to64(&salt[5], (long)random(), 4);
#else
to64(&salt[0], (long)random(), 2);
#endif
return(crypt(buf, salt));
}
Personally, I'm a bit suspicious of NEWSALT and the "&salt[5]".
Chuck
--
Charles Seeger E301 CSE Building Office: +1 904 392 1508
CIS Department University of Florida Fax: +1 904 392 1220
seeger at ufl.edu Gainesville, FL 32611-2024
More information about the Comp.unix.admin
mailing list