[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Please HELP : Reg CVS password Decrypting mechanism
From: |
Todd Denniston |
Subject: |
Re: Please HELP : Reg CVS password Decrypting mechanism |
Date: |
Fri, 12 Sep 2008 08:15:10 -0400 |
User-agent: |
Thunderbird 2.0.0.16 (X11/20080707) |
Just feeling terse this morning, so answers are very short.
Arvind Kanaka Raju wrote, On 09/12/2008 03:41 AM:
Hi Paul, Thanks a lot for your reply and it was very useful and I did guess
The same scenario though.. Your lines "If you can decrypt them, so can an attacker,
who could then gain access to the system"
Doubts : When we create a new user, we use the crypt function with
salt,random,pepper etc to create a encrypted password but the output
string(encrypted password) is Given out as a different string everytime we run
the crpyting script.
For Example:
Entered String : abcd
First run of Encyption Script: GprUM4jlw1WwY
openssl passwd -salt Gpr
Password:abcd
GprUM4jlw1WwY
Second run of Encyption Script: cAfUhQnwU4Ly2
openssl passwd -salt cAf
Password:abcd
cAfUhQnwU4Ly2
Third run of Encyption Script: RW7h1x9Vtn1Ss
openssl passwd -salt RW7
Password:
RW7h1x9Vtn1Ss
And so on it generates different strings....
Though they are different, the users are still authenticated successfully every
time they login to the CVS rep. So how can we come to a conclusion that the
user entered password are encrypted by CVS application and compared with the
one in database. Just a doubt pls explain as I am naïve to this application.
My Question here: How does CVS application which takes in a user password from
some desktop client encrypt it and compare it with the one stored rep/CVSROOT
1: Does CVS have an function call to the Unix system to do it?
2: Does CVS have an function call to the Unix system to decrypt it?
man crypt
Thanks in advance!!!!!!
Arvind
Original Message-----
From: Paul Sander [mailto:address@hidden
Sent: Friday, September 12, 2008 12:14 PM
To: Arvind Kanaka Raju
Subject: Re: Please HELP : Reg CVS password Decrypting mechanism
Passwords are not normally decrypted. In fact, the encryption is
usually "one way" so that it in fact cannot be decrypted. If you can
decrypt them, so can an attacker, who could then gain access to the
system.
Instead, the user presents their password, then the application
encrypts it, and finally it compares the user's encrypted password
with the encrypted password stored in a database. There may be
details like using matching "salt" values, which would be the first
two characters of the encrypted password stored in the database, or
fetching the saved encrypted password from a shadow database. Such
details are specific to the operating system.
On Sep 11, 2008, at 5:50 AM, Arvind Kanaka Raju wrote:
Hello, I am currently assigned as CVS Admin for an organization and
my prime work includes creating, maintaining and adding new users
to CVS repositories.
My Requirement: I am currently trying to enable users to change
their passwords by themselves which can be supported by a WEB Utility.
But the prime hurdle that I am facing to proceed with designing the
web utility is that 'I am unable to decrypt passwords stored in
<CVS Rep>/CVSROOT/passwd,
this is very much needed for the deployment.
Currently the CVS password encryption happens through a function
called CRYPT.
Kinldy Help
Thanks in Advance
Arvind.K.R
| Software Engineer |.
| Infosys Technologies Limited - MCity| Mob: 9940104010|
| address@hidden| www.infosys.com |
**************** CAUTION - Disclaimer ***************** This e-mail
contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely
for the use of the addressee(s). If you are not the intended
recipient, please notify the sender by e-mail and delete the
original message. Further, you are not to copy, disclose, or
distribute this e-mail or its contents to any other person and any
such actions are unlawful. This e-mail may contain viruses. Infosys
has taken every reasonable precaution to minimize this risk, but is
not liable for any damage you may sustain as a result of any virus
in this e-mail. You should carry out your own virus checks before
opening the e-mail or attachment. Infosys reserves the right to
monitor and review the content of all messages sent to or from this
e-mail address. Messages sent to or from this e-mail address may be
stored on the Infosys e-mail system. ***INFOSYS******** End of
Disclaimer ********INFOSYS***
--
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter