Return to BSD News archive
Received: by minnie.vk1xwt.ampr.org with NNTP id AA1075 ; Thu, 11 Feb 93 21:00:10 EST Path: sserve!manuel.anu.edu.au!munnari.oz.au!spool.mu.edu!caen!uwm.edu!cs.utexas.edu!sun-barr!olivea!charnel!rat!usc!howland.reston.ans.net!bogus.sura.net!udel!gatech!news.ans.net!cmcl2!prism.poly.edu!kapela From: kapela@prism.poly.edu (Theodore S. Kapela) Newsgroups: comp.unix.bsd Subject: "*" with DES (Was: Re: *Big* security leak for users w/o crypt.) Message-ID: <1993Feb10.132529.14595@prism.poly.edu> Date: 10 Feb 93 13:25:29 GMT References: <1993Feb6.110834.27698@ghost.dsi.unimi.it> Organization: Polytechnic University, New York Lines: 21 In article <1993Feb6.110834.27698@ghost.dsi.unimi.it> serini@ghost.dsi.unimi.it (Piero Serini) writes: > >I use a DES implementation which accepts "*" as a valid character. >So, passwords are encrypted, "secure" accounts have both "**" as >password and "/dev/null" as shell. I think It's enough. The encryption routine may accept a * as a legal char for the password, but it most likely does *NOT* use it in the encrypted string (Have you seen a "*" buried among the chars in the encrypted password?). The encrypted "key" is also a fixed length (usually 56 bits) (also making it impossible to encrypt to a single "*"). In any case, if a single "*" results from the output of your DES routines (and is valid), then why wouldn't a "**" be valid? -- ............................................................................... Theodore S. Kapela kapela@poly.edu Center for Applied Large-Scale Computing Polytechnic University