jimbobn has asked for the wisdom of the Perl Monks concerning the following question:

Hiya Monks, I have a script that generates random passwords, and creates user accounts based on the information that the user inputs + the random password. i.e adduser mychosenusername -p mygeneratedpassword It has just been brought to my attention that the -p switch on the adduser command requires an encrypted password. would someone please be able to show me (in idiots terms) how to take a variable i.e $genpass , with the password generated by my script, and encrypt it into something that i will then be able to pass to the adduser -p command? thanks

Replies are listed 'Best First'.
Re: Adduser & Crypt
by twerq (Deacon) on Aug 13, 2002 at 13:00 UTC
    You need to check up on the crypt function.. . .but basically:
    
# generate a random salt
my $salt = join '', 
   ('.', '/', 0..9, 
   'A'..'Z', 'a'..'z')[rand 64, rand 64];

# combine salt with plaintext password
my $encrypted_pass = crypt($plaintext_pass, $salt);

    [download]


    --twerq
[reply]
[d/l]
      It's worth pointing out that your code assumes the old DES-based crypt algorithm, which is highly crackable with modern hardware. A lot of systems are switching to MD5 crypt (which uses special salts that start with "$1$") or eksblowfish ("$2x$"). You might experiment with your particular crypt function and see if it accepts salts of this form. 
      > perl -e 'print crypt("foo",q[$1$bar$]), "\n"'
$1$bar$gJTJurciWk9pIaPpodyiw.
> perl -e 'print crypt("foo",q[$2x$bar$]), "\n"'
$2zJyhpjk3l9E

      [download]
      The output above is from a slackware system. It recognized "$1$bar$" as an MD5 salt, and kept the entire string in its output. However, it interpreted "$2x$bar$" as an old-style DES salt, and only kept the first two characters. If your system accepts both MD5 and DES crypted passwords (like mine), you want to make sure you're using MD5 -- John cracks DES 30 times faster than MD5 on my machine.

      Here's a trick I've seen for generating salts. What do you think? 

      $des_salt = substr(crypt(rand(), "aa"), -3, 2);
$md5_salt = '$1$' . substr(crypt(rand().rand(), '$1$aaaaaaaa$'), -9, 8
+) . '$';

      [download]
      This way, you don't need to include the details about crypt's output character set in your code. Why rand().rand()? Some rand implementations have a 32-bit internal state but only output 16 bits of randomness per call. (Notably, Solaris libc and whatever ActiveState for Win32 is built against both do this.)

      Update: Tweak, tweak. Turns out the last byte of the crypted pass doesn't hold a full 6 bits of information, so avoid it. This doesn't make much difference with MD5 (since rand is never going to give you 48 bits of real information anyway), but it's a big hit against a DES-based salt.

[reply]
[d/l]
[select]
Re: Adduser & Crypt
by zentara (Cardinal) on Aug 13, 2002 at 16:16 UTC 
     You might want md5 passwords with crypt
    #!/usr/bin/perl

print "Standard crypt output\n";
print crypt("password","sa"), "\n";

#glibc's implementation  that takes  care of  this.  Since  perl on 
# Linux uses glibc, you get this automagically. When the salt looks li
+ke 
# $1$...., it will encrypt the password using MD5.  e.g. 

print "MD5 crypt output\n";
print crypt("password","\$1\$thesalt\$"), "\n";

    [download]
[reply]
[d/l]

Back to Seekers of Perl Wisdom