Hi. I'm having a problem with hashing passwords for use in the menu. If I specify plain passwords in my config it works file: Example: MENU MASTER PASSWD 1234567890 MENU PASSWD test123 However if I hash a password using the sha1pass script the resulting hashes don't work. MENU MASTER PASSWD $4$9qj4qv8g$HQ6Jl6TVrpign78XeofX2OLmfJo$ MENU PASSWD test123 $4$B4LW6NPr$xYYfSoakhfLpWE7+l8zU0MdAlIA$ When prompted for the password I enter that which I added as an arg to the script but It throws Me back (same as with an invalid pass). This is how I run the script: simon1 at eb280-simon:~/syslinux-3.52$ sha1pass 1234567890 $4$9qj4qv8g$HQ6Jl6TVrpign78XeofX2OLmfJo$ simon1 at eb280-simon:~/syslinux-3.52$ sha1pass test123 $4$B4LW6NPr$xYYfSoakhfLpWE7+l8zU0MdAlIA$ I notice I get a different hash every time when using the same arg. Is this correct? I'm running slackware v11. Initially when running sha1pass i was getting an error: Can't locate Digest/SHA1.pm in @INC I ran cpan install Digest::SHA1 to install the missing lib then all was ok. I can't get the MD5pass script to run as it's missing a lib but running cpan install Digest::MD5 reports that my MD5 is up to date? Any ideas? Thanks. Simon.
--On Wednesday, January 09, 2008 03:20:02 PM +0000 Simon Daniels <S.Daniels at uel.ac.uk> wrote:> However if I hash a password using the sha1pass script the resulting > hashes don't work.As of syslinux-3.53 (the latest I have lying around), the code in com32/modules/menumain.c for checking sha1 passwords has a bug which causes checking of salted passwords to fail. Specifically, it tries to fold the salt into the hash before initing the hash context. I have attached a patch (untested) which should fix this problem.> I notice I get a different hash every time when using the same arg. Is > this correct?That's correct. The string between the second and third $ characters is a "salt", which is a chunk of random data included in the hash to make it more difficult to determine the password by keeping a dictionary of passwords and the strings they hash to. To get the same string back, you can give the hash as an additional argument to sha1pass: ./sha1pass 1234567890 9qj4qv8g> I can't get the MD5pass script to run as it's missing a lib but running > cpan install Digest::MD5 reports that my MD5 is up to date?Is there a question here? We can't help you get md5pass working if you don't tell us what error messages you got. -- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu> Carnegie Mellon University - Pittsburgh, PA -------------- next part -------------- --- com32/modules/menumain.c 2007-11-18 01:55:01.000000000 -0500 +++ com32/modules/menumain.c.FIXED 2008-01-14 18:15:23.000000000 -0500 @@ -295,6 +295,8 @@ SHA1_CTX ctx; unsigned char sha1[20], pwdsha1[20]; + SHA1Init(&ctx); + if ( (p = strchr(passwd+3, '$')) ) { SHA1Update(&ctx, (void *)passwd+3, p-(passwd+3)); p++; @@ -302,8 +304,6 @@ p = passwd+3; /* Assume no salt */ } - SHA1Init(&ctx); - SHA1Update(&ctx, (void *)entry, strlen(entry)); SHA1Final(sha1, &ctx);
Simon Daniels wrote:> Hi. I'm having a problem with hashing passwords for use in the menu. > > If I specify plain passwords in my config it works file: > > > MENU MASTER PASSWD $4$9qj4qv8g$HQ6Jl6TVrpign78XeofX2OLmfJo$ > > MENU PASSWD test123 $4$B4LW6NPr$xYYfSoakhfLpWE7+l8zU0MdAlIA$^^^^^^^ EH?> > simon1 at eb280-simon:~/syslinux-3.52$ sha1pass 1234567890 > $4$9qj4qv8g$HQ6Jl6TVrpign78XeofX2OLmfJo$ >Looks right...> > I notice I get a different hash every time when using the same arg. Is this > correct? >That's normal.> > I ran cpan install Digest::SHA1 to install the missing lib then all was ok. > > I can't get the MD5pass script to run as it's missing a lib but running cpan > install Digest::MD5 reports that my MD5 is up to date? >use Crypt::PasswdMD5; use MIME::Base64; Not Digest::MD5... -hpa