[linux-security] Re: md5,des etc..

["Michael H. Warfield" <mhw wittsend com>]

On Wed, Nov 17, 1999 at 09:02:52PM -0500, Arni Raghu wrote:
> Hoping that this is not OT..

> Hi
> I want to write a simple perl script to see if my system supports des or md5
> as the password encryption scheme..what is the easiest way..

> one of course is to look at the /etc/shadow file and then parsing the passwd
> field, any better way..??

	You could grep the files in /etc/pam.d looking for the "md5" token.
In particular, look for a line like this in /etc/pam.d/passwd (which
configures pam for the passwd app which is what creates the hashes):

password   required     /lib/security/pam_pwdb.so use_authtok nullok md5 shadow

	That might be more reliable.  If you take a system that has BEEN
using des password hashes in /etc/passwd and convert it to use shadow with
md5 hashes, you will discover that your /etc/shadow file still contains
only des hashes immediately after convertion and prior to anyone changing
their password.  Reason...  There is no (and can not be an) algorithm
for converting from md5 hashes to des hashes or vice-versa.  The result
of this is that the pam modules must be able to handle and check either
algorithm while new passwords (changed or new accounts) get hashed by
the algorithm of choice at the time they are created.

> Thx,
> Arni

> -- 
> ----------------------------------------------------------------------
> Please refer to the information about this list as well as general
> information about Linux security at http://www.aoy.com/Linux/Security.
> ----------------------------------------------------------------------
> 
> To unsubscribe:
>   mail -s unsubscribe linux-security-request redhat com < /dev/null

-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw WittsEnd com
  (The Mad Wizard)      |  (770) 331-2437   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!