[349] in linux-security and linux-alert archive
Linux adduser security bug [Forwarded e-mail from Mark Whitis]
daemon@ATHENA.MIT.EDU (Jeff Uphoff)
Tue Sep 5 23:20:18 1995
Date: Tue, 5 Sep 1995 22:53:51 -0400
From: Jeff Uphoff <juphoff@tarsier.cv.nrao.edu>
To: linux-security@tarsier.cv.nrao.edu
Forwarded on from a fellow that I know (personally) here. I have not
looked into this myself yet...
------- start of forwarded message (RFC 934 encapsulation) -------
From: whitis@wright.nasm.edu (Mark Whitis)
To: juphoff@NRAO.EDU
Subject: Linux adduser security bug
Date: Tue, 5 Sep 95 22:22:44 -0400
While writing my own adduser program, I noticed a bug in the adduser program
distributed with linux. It only generates 256 possible salt values instead
of 4096. This makes it easier for programs like crack. It makes
storage of preencrypted dictionaries for all possible salt values more
feasable (of order 500mb for 256 salts). Since the security of
unix encrypted passwords is already pretty marginal with the
computing power readily availible today, a factor of 16 degradation
is unacceptable.
No diffs yet, since I am working on a different program but the
appropriate lines from my program could replace those in adduser
to fix the problem when I am done.
------- end -------
