(2) is a fantastically bad idea. It looks like an attempt to set the salt to the first two characters of the plaintext password, though it actually just sets it to 0 or 1. If it worked as apparently intended, any attacker looking at your passwords would immediately know the first two characters of the plaintext. Also, if your system uses something other than DES for its crypt(), two bytes of salt won't be enough.

As for how AuthDBI checks the passwords, here's what the pod says:

Finally the passwords (multiple passwords per userid are allowed) are retrieved from the database. The result is put into the environment variable REMOTE_PASSWORDS. Then it is compared to the password given. If the encrypted directive is set to 'on', the given password is encrypted using perl's crypt() function before comparison. If the encrypted directive is set to 'off' the plain-text pass- words are compared.

So with encrypted passwords set 'on', it works like this:

  1. AuthDBI fetches the (encrypted) password from the database
  2. It then encrypts the plaintext password given by the user with the ciphertext password as salt (the salt is stored in the first bytes of the ciphertext. The exact number of bytes depends on the algorithm you're using)
  3. Finally it compares the stored ciphertext with the new ciphertext

Here's the relevant code from the section that checks a cached password: 
    $salt = $Attr->{encryption_salt} eq 'userid' ? $user_sent : $passw
+d_cached;
    my $passwd_to_check = $Attr->{encrypted} eq 'on' ? crypt($passwd_s
+ent, $salt) : $passwd_sent;
    # match cached password with password sent
    $passwd = $passwd_cached if $passwd_to_check eq $passwd_cached;

[download]

Looks like it uses the userid as a salt if you have Auth_DBI_encryption_salt set to 'userid', which strikes me as kind of silly.

Store your passwords in crypted form in your database, using (1) to generate your salt (though you should verify that your system's crypt() only needs two bytes of salt), make sure Auth_DBI_encryption_salt isn't set to 'userid', and you should be alright.

-Matt

In reply to RE: AuthDBI salt ? by DrManhattan
in thread AuthDBI salt ? by bubble

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.