Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 22 Jul 2014 20:32:54 +0400
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: OpenVMS support?

On Tue, Jul 22, 2014 at 01:59:53PM +0200, Frank Dittrich wrote:
> On 07/22/2014 01:14 AM, Mark Grace wrote:
> > We're in the process of migrating from and OpenVMS system to AIX and we have a need to not change passwords.  Therefore I've been using JtR to retrieve the passwords.
> 
> It is just not realistic to assume you'll be able to crack all the
> passwords.
> 
> But may be there's another option.
> Apparently, AIX supports PAM:
> http://www.ibm.com/developerworks/aix/library/au-aixpluggable/index.html?ca=dat
> 
> Not sure whether you can really use this to add your own password hash
> algorithms, but if you can:

Yes, PAM can be used to add custom password hashing schemes, as long as
no relevant services or apps bypass PAM (some might!)

AIX also supports Loadable Password Algorithms (LPAs), which are lower
level than PAM and are actually intended for the purpose, so I think are
less likely to be bypassed - but I haven't seen any information on
writing a custom LPA.

https://www.ibm.com/developerworks/community/blogs/cgaix/entry/aix_support_for_passwords_greater_than_8_characters1?lang=en

> The vms_fmt_plug.c has this info in the comment at the top:
> "Redistribution and use in source and binary forms, with or without
> modifications, are permitted."
> 
> So, you could use this to implement an OpenVMS password hash algorithm
> for AIX, and just migrate the hashes without converting them.
> 
> Even if you do, I would only use this solution temporarily, and switch
> to a more secure hash algorithm supported by AIX, then finally drop
> supporting OpenVMS hashes.

Per the table at the URL above, AIX includes support for "Blowfish"
(bcrypt) in one of its standard LPAs, so that's what should be used for
new passwords, as well as for passwords that were cracked from their
OpenVMS hashes.  Other password hashing schemes supported by AIX as
standard are inferior to bcrypt.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.