Security
cancel
Showing results for 
Search instead for 
Did you mean: 

site-pwpolicy AUTH_PW_GENPASSWORD salt

SOLVED
Go to solution
Cesar Garin
Occasional Advisor

site-pwpolicy AUTH_PW_GENPASSWORD salt

I am writing a site-pwpolicy for Tru64 5.1a. One of my requirements relates to the salt used to encypt the password.

When the function AUTH_PW_GENPASSWORD is requested a salt is supplied. Probably this salt would meet my requirements but it isn't clear - there is nothing in the documentation detailing where this salt comes from or what it is based on. What is the default salt?
4 REPLIES
Ann Majeske
Honored Contributor

Re: site-pwpolicy AUTH_PW_GENPASSWORD salt

Have you looked at the sample pwpolicy script at:
http://users.rcn.com/spiderb/sec/site-pwpolicy.c.txt
Cesar Garin
Occasional Advisor

Re: site-pwpolicy AUTH_PW_GENPASSWORD salt

In my original question AUTH_PW_GENPASSWORD should of read AUTH_PW_ENCRPT. No doubt confusing to anyone trying to answer my question!

I have been using the example you referenced to develop my own site-pwpolicy. In function main of this example there is a switch on function code. For case AUTH_PW_ENCYPT a parameter saltbuf is read from stdin. Presumably this is something that the SIA is generating. I don't know what this parameter is derived from or what it represents.

I have specific requirements as to what is deemed an aceptable salt for password encryption. My problem is that I don't know if this salt meets these requirements. (N.B. don't think it is possible to create the required salt within the pwpolicy program.)
Ann Majeske
Honored Contributor
Solution

Re: site-pwpolicy AUTH_PW_GENPASSWORD salt

I did some checking. For password generation the salt is a random value. The value returned from get_seed_es() is used to generate a random number, which is massaged a bit to get a value appropriate to pass to the dispcrypt() routine, see the man pages for get_seed_es and dispcrypt.

It would be an interesting exercise to have your routine print out the salt supplied to see what it looks like :)

If the salt supplied by the Enhanced Security mechansm is not sufficient, you could write your own SIA mechanism to supply a different salt to dispcrypt. But, this is even more of a challenge (and only slightly better documented) than writing a site-pwpolicy!

Ann
Cesar Garin
Occasional Advisor

Re: site-pwpolicy AUTH_PW_GENPASSWORD salt


Thanks Ann. I believe your answer means I don't need to write an SIA mechanism. Would of been fun but the bean counters will be happier.