NT MD4 password hash as new password encryption method for FreeBSD
NOTE: These patches are already commited and are available with FreeBSD 5.2
This is a simple proposal to add support for NT MD4 password hashes to crypt(3).
NT MD4 password hashes are more insecure than the standard FreeBSD MD5 based password crypt or
the much more stronger blowfish based encryption. Why are you/we so nut to use NT password hashes? The answer is very simple:
If you like to authenticate dialin users (ppp, pptp) with CHAP you need the plaintext password on the server and therefore
its not possible to store the passwords in the systems master.passwd. Using PAP is a bad idea, because the passwords are
transmitted as plaintext over the net. MS-CHAP solves this problem by using hashed passwords (md4).
With MS-CHAP and our modification to crypt(3) its not longer necessary to store plaintext secrets on your server!
But we think there are many more advantages:
- Only one user database (password can easily changed by the user himself).
- MS-CHAP can used, without storing the plaintext passwords on the server.
- SAMBA can modified to use directly the master.passwd and not his own smbpasswd.
- Samba can use NIS for encrypted passwords on FreeBSD.
Disadvantages:
- No salt is used, users with same passwords have the same hash
FreeBSD already supports different encryption methods (MD5, Blowfish, DES), so it was easy to add this method (new type $3).
It can be configured via login.conf (:passwd_format=nth:).
here are the patches: libcrypt.diff, crypt-nthash.c
The patches were commited after the FreeBSD 5.1 release.
If you are using the files from FreeBSD 5-current you also have to make a new link to libcrypt.so.3, after you compiled and
installed the new libcrypt.
cd /usr/lib
rm libcrypt.so
ln -s libcrypt.so.3 libcrypt.so
cp crypt-nthash.c /usr/src/lib/libcrypt
cd /usr/src/lib/libcrypt
patch < libcrypt.diff
make
make intall
cd /usr/src/usr.bin/passwd
make
make install
cd /usr/src/lib/libpam
make
make install
cd /usr/src/usr.bin/login
make
make install
And here are patches for mpd, with these patches mpd uses the master.passwd for passwords, if a '*' is specified in the
mpd.secret in the password field. This works with all encryption methods if PAP is used, if the password is a NT-Hash
MS-CHAP also works. CHAP doesen't work at all, because you need the plaintext password.
mpd-pwd.diff
Patches for SAMBA can downloaded here
|
![[Powered by Apache]](/pix/apachpwr.gif){kind=small}
![[Powered by FreeBSD]](/pix/pwrlogo.gif)
![[PEAR]](/pix/pearsmall.gif)
![[The Daemon is free]](/pix/dae_up2.gif)