Return to BSD News archive
Received: by minnie.vk1xwt.ampr.org with NNTP id AA1159 ; Tue, 23 Feb 93 14:28:23 EST Newsgroups: comp.unix.bsd Path: sserve!manuel.anu.edu.au!munnari.oz.au!uunet!UB.com!pacbell.com!sgiblab!spool.mu.edu!agate!doc.ic.ac.uk!pipex!demon!gtoal From: gtoal@pizzabox.demon.co.uk (Graham Toal) Subject: Re: "*" with DES (Was: Re: *Big* security leak for users w/o crypt.) Message-ID: <C29F6D.8vr@demon.co.uk> Sender: news@demon.co.uk Nntp-Posting-Host: pizzabox.demon.co.uk Organization: Cuddlehogs Anonymous References: <1993Feb6.110834.27698@ghost.dsi.unimi.it> <1993Feb10.132529.14595@prism.poly.edu> Date: Thu, 11 Feb 1993 01:08:36 GMT Lines: 17 In article <1993Feb10.132529.14595@prism.poly.edu> kapela@prism.poly.edu (Theodore S. Kapela) writes: :In article <1993Feb6.110834.27698@ghost.dsi.unimi.it> serini@ghost.dsi.unimi.it (Piero Serini) writes: :> :>I use a DES implementation which accepts "*" as a valid character. :>So, passwords are encrypted, "secure" accounts have both "**" as :>password and "/dev/null" as shell. I think It's enough. : :The encryption routine may accept a * as a legal char for the password, but :it most likely does *NOT* use it in the encrypted string (Have you seen :a "*" buried among the chars in the encrypted password?). The encrypted :"key" is also a fixed length (usually 56 bits) (also making it impossible :to encrypt to a single "*"). Duh... does that mean he's just told the world the passwords to his secure accounts? Or did he perhaps mean he set the encrypted entries to '**'? G