Oh my!!! The answer to my original post was my original post!!!
Original post:
> From time to time I have to generate encrypted password without associate it
> directly to a user Solaris account (it can be passwords for xtacacs, passwords
> for protected httpd directories, etc). I know that these passwords use the
> same encryption algorithms than NIS+.
>
> I modified a c program to use the function crypt() (Solaris 2.5)
> to create encrypted password.
>
> Here is the code segment:
>
> {
> salt[0]=line[0];
> salt[1]=line[1];
> printf("%s\n",crypt(line,salt));
> }
>
> where line corresponds to the non encrypted password.
>
> As you can see, the salt is given by the 2 first characters of the
> non encrypted password.
>
> When I run the program, the encrypted password do not corresponds to the one
> in NIS+ passwd table. So I do not use the good salt!
>
> (imagine my password is "aloha", then
> 'niscat passwd|grep elvis' gives me "elvis:wejfUUSjsIw2kY:..." and my program
> gives me a completly different string.)
>
> Finally, my questions are:
>
> 1) What salt should I use to encrypt a text password into an encrypted
> password unserstandable by NIS+?
The answer is: Everything is correct!!! It is normal the new encrypted string
is different than the one NIS+ generated since the salt is different! In my
script, the salt I am using is the first 2 caracters of my UNENcrypted future
password. So the resulting string is different. But NIS+ will be able to
decrypt this new string using the 2 first characters of the new ENcrypted
password!!! And so for xtacacs!
And then my routine is correct and does exactly what I want.
% generate_password pegasus
geY7ORqvrskNo
%
Here the salt the script use is "pe"
I just have to put geY7ORqvrskNo in my xtacacs_passwd and even in my
/etc/shadow file and that's it!
My new password is now pegasus!!!
Thank you to Casper Dik who showed me the light with its comment:
> You wrongly initialize salt.
> Typical crypt usage is:
> crypt(line, encrypted_password);
> Teh first two characters of the encrypted password are the salt.
> Not teh first two of teh unencrypted password (that would make
> password guessing trivial)
So a big thank to
Casper Dik <casper@holland.Sun.COM>
Simon-Bernard Drolet <Simon-Bernard.Drolet@M3iSystems.com>
PS. I adore this list :-)
-- Michel Pilon E-mail: michel.pilon@CCG.RNCan.gc.ca Administrateur de systemes Unix Tel: (819) 564-4819 Centre d'information topographique Fax: (819) 564-5698 2144 King Ouest, suite 010, Sherbrooke, Quebec, Canada, J1J 2E8 http://cyniska.ubishops.ca/pilonm