*BSD News Article 10955


Return to BSD News archive

Received: by minnie.vk1xwt.ampr.org with NNTP
	id AA1075 ; Thu, 11 Feb 93 21:00:10 EST
Path: sserve!manuel.anu.edu.au!munnari.oz.au!spool.mu.edu!caen!uwm.edu!cs.utexas.edu!sun-barr!olivea!charnel!rat!usc!howland.reston.ans.net!bogus.sura.net!udel!gatech!news.ans.net!cmcl2!prism.poly.edu!kapela
From: kapela@prism.poly.edu (Theodore S. Kapela)
Newsgroups: comp.unix.bsd
Subject: "*" with DES (Was: Re: *Big* security leak for users w/o crypt.)
Message-ID: <1993Feb10.132529.14595@prism.poly.edu>
Date: 10 Feb 93 13:25:29 GMT
References: <1993Feb6.110834.27698@ghost.dsi.unimi.it>
Organization: Polytechnic University, New York
Lines: 21

In article <1993Feb6.110834.27698@ghost.dsi.unimi.it> serini@ghost.dsi.unimi.it (Piero Serini) writes:
>
>I use a DES implementation which accepts "*" as a valid character.
>So, passwords are encrypted, "secure" accounts have both "**" as
>password and "/dev/null" as shell. I think It's enough.

The encryption routine may accept a * as a legal char for the password, but
it most likely does *NOT* use it in the encrypted string  (Have you seen
a "*" buried among the chars in the encrypted password?).  The encrypted
"key" is also a fixed length (usually 56 bits) (also making it impossible
to encrypt to a single "*").

In any case, if a single "*" results from the output of your DES routines
(and is valid), then why wouldn't a "**" be valid?


-- 
...............................................................................
 Theodore S. Kapela				kapela@poly.edu
 Center for Applied Large-Scale Computing	
 Polytechnic University