Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!ub!csn!boulder!spot.Colorado.EDU!frechett From: frechett@spot.Colorado.EDU (-=Runaway Daemon=-) Newsgroups: comp.unix.questions Subject: Re: What does '*' symbol in /etc/passwd means? Message-ID: <1991Jun14.051958.17564@colorado.edu> Date: 14 Jun 91 05:19:58 GMT References: <27176@adm.brl.mil> <1991Jun14.002427.6120@csc.canberra.edu.au> Sender: news@colorado.edu (The Daily Planet) Organization: University of Colorado, Boulder Lines: 59 Nntp-Posting-Host: spot.colorado.edu In article <1991Jun14.002427.6120@csc.canberra.edu.au> rvp@softserver.canberra.edu.au (Rey Paulo) writes: I just recently spent a significant amount of time figure out why crypt does what it does and I believe I can add a bit here. > >The reason why '*' is used to lock login is because '*' is not in the >encrypted alphabet of the crypt algorithm. Hence, it is impossible for >the encryption program to generate a string with a '*'. There is a bit more to it than just the fact that * is not in the encryption charcter set (which is true). Valid characters are [a-zA-Z/.]. But if I were to use any string in /etc/passwd with a lenght != 13 bytes it will be invalid. The nuts at work commonly use name:PASSWD GOES HERE:etc:etc:etc.... . This string cannot possibly be generated by crypt(3) and this is why. In the internals of crypt(3) it takes as input a 10 byte word and 2 bytes of salt. The salt is generally chosen randomly and it consists of two of the characters from the valid charcters mentioned above. The salt choses 1 of 4096 different slight modifications in the standard DES encryption scheme. The word and salt are fed in and crypt(3) outputs the salt as the first two characters of the encrtyped passwd and then 11 more bytes of truely encrypted data. For fun.. look at the string in /etc/passwd that is your encrypted passwd, change it.. then change it back. Look again at the string; it will be different due to a new randomly chosen salt. Also, crypt(3) is not decryptable in that once you have an encrypted word there is no way to return the original string. The only way to decrypt is actually to encrypt a guess and compare with what you already have. An example: (>=+=>crypt.pl Enter =>blueish aB Crypt is: aB6YSC2UZBGII Note aB is in encrytion Enter =>blueish Z. Crypt is: Z.0iioX3H3zoo Enter =>blueish Z.0iioX3H3zoo and this is why.. This is how ^^^^^^^^^^^^^ login checks your passwd. You would take this from /etc/passwd Crypt is: Z.0iioX3H3zoo Two more notes.. 1. I say crypt(3) because crypt(1) is totally different. 2. crypt(3) is purposely designed to take a HUGE portion of CPU when encrypting which makes passwd cracking very slow and fairly visible. If I just run one guess through every line of the /etc/passwd file on my DEC5500 (about 28 Mips) it hangs about every 5 seconds for up to 20 seconds.. The machine just can't afford to keep the process in memory all the time. > >-- >Rey V. Paulo | Internet: rvp@csc.canberra.edu.au >University of Canberra | I am not bound to please thee with my answer. >AUSTRALIA | -Shylock, in "The Merchant of Venice" >------------------------------+---------------------------------------------- ian -=Runaway Daemon=- (UNIXOPS University of Colorado at Boulder)