[nSLUG] Crypt in Perl

Daniel Morrison draker at gmail.com
Wed Jan 7 22:03:54 AST 2009


2009/1/7 D G Teed <donald.teed at gmail.com>:
> You must have mistaken me for a web developer.  I'm just
> a Sysadmin, trying not to cause discomfort for users.
> We are after seamless changes here, not announcements
> that everyone needs to change their password (that is
> what they would expect of phishers anyway).

Not at all!  I was merely pointing out where George mentioned the
recommendation from Python docs to use the full crypted password as a
salt.

Moreover, from the glibc manual:
http://www.gnu.org/software/libtool/manual/libc/crypt.html#crypt

"To verify a password against the result of a previous call to crypt,
pass the result of the previous call as the salt."

I'm not sure what web developers have to do with announcements to
users... unless a web developer is also doing a sysadmin's job...
poorly. Web developers need to be kept in a firewalled little room
somewhere!

The glibc manual also says:

"the salt should consist of two characters from the alphabet
./0-9A-Za-z", same as the perl docs. I wonder if '.' is simply
$saltchars[0] in the perl module?  Perhaps on the BSD systems the perl
module reinitializes to zero the index into that array before
processing the second character in the salt. On Linux and Solaris
(SysV, Dan pointed out) the index isn't reinitialized, and so the
first character is repeated.

~$ perl -e 'print crypt("cow","Y") . "\n";'
YYdJexGRDqh9Y

Well, it could still be in libc also. If another language displays the
same behaviour, it suggests it's in libc rather than the language.

-D.



More information about the nSLUG mailing list