Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CANO7a6y=S3PyZV8coHg_ZtfvoQ-0papuAdyRPDMzFf=ahW+PrQ@mail.gmail.com>
Date: Thu, 24 Jan 2013 21:38:58 +0530
From: Dhiru Kholia <dhiru.kholia@...il.com>
To: john-dev@...ts.openwall.com
Subject: Re: Formats ssh and ssh-ng

On Thu, Jan 24, 2013 at 8:50 PM, Frank Dittrich
<frank_dittrich@...mail.com> wrote:
> I think ssh and/or ssh-ng formats need at least some documentation, but
> preferably even some code changes.

Good point. I can quickly write a "README.ssh" file explaining the
usage of and the difference between these two formats.

> $ ./sshng2john.py id_rsa > sshng-test
>
> (BTW: I had to install python-crypto on Fedora 18 to make the script work.)

Can you please test the following patch to see if it makes things better?

diff --git a/run/sshng2john.py b/run/sshng2john.py
index 12a6f60..b08a85e 100755
--- a/run/sshng2john.py
+++ b/run/sshng2john.py
@@ -31,10 +31,16 @@ from hashlib import md5 as MD5

 limited = False

+
+class Object(object):
+    pass
+
 try:
-    from Crypto.Cipher import DES3, AES
+    from Crypto.Cipher import DES3, AES1
 except ImportError:
     print >> sys.stderr, "PyCrypto is missing in your Python
installation, %s is operating is limited features mode!" % sys.argv[0]
+    AES = Object()
+    AES.MODE_CBC = ""
     limited = True


@@ -639,7 +645,8 @@ class PKey (object):

         if 'proc-type' not in headers:
             # unencryped: done
-            return data
+            print >> sys.stderr, "%s has no password!" % f.name
+            return None
         # encrypted keyfile: will need a password
         if headers['proc-type'] != '4,ENCRYPTED':
             raise SSHException('Unknown private key structure "%s"' %
headers['proc-type'])
@@ -674,7 +681,7 @@ class PKey (object):
                 return ddata
             except ValueError:  # incorrect password
                 return data
-        return None
+        return self.hash  # dummy value


 def chunks(l, n):
@@ -717,6 +724,8 @@ class RSADSSKey (PKey):
     def _from_private_key_file(self, filename, password):
         data = self._read_private_key_file('RSA', filename, password)

+        if not data:
+            return
         if limited:
             print self.hash
             return

> Apparently, both formats are able to crack the same input file after
> converting it using the right tool. But ssh-ng is much faster.

Yes, ssh-ng is fast :-)

> Why does ssh-ng have the "False positives possible" flag set?

ssh-ng does partial decryption and partial ASN decoding, hence it can
have false positives.

> If ssh can avoid false positives, ssh-ng should be able to avoid false
> positives as well, no?

You are right. We can have a 100% solid verification check in ssh-ng
format as well (and then remove FMT_NOT_EXACT from ssh-ng format).

> This:
> $ ls -l ssh*test
> -rw-rw-r--. 1 fd fd 2425 Jan 24 15:51 sshng-test
> -rw-rw-r--. 1 fd fd 3505 Jan 24 15:51 ssh-test
> doesn't look like ssh2john is extracting less information from the
> keyfile than sshng2john is.
> So, shouldn't ssh-ng be able to "understand" and convert $ssh2$ hashes?
> What about ssh understanding the $sshng$ hashes?

IMO, we only care about ssh-ng being able to "understand" old-style
$ssh2$ hashes. Yes, this is possible and at some point I might have
promised Solar to implement such a feature ;)

> Why do we even need two different tags?
> Why different format names?

ssh format is well tested and been proven to work whereas ssh-ng is
highly experimental (but faster). So both formats currently co-exist.

> Can't ssh-ng report "SSH RSA / DSA" instead of "ssh-ng SSH RSA / DSA"?
> This would allow to pick the fastest of several benchmarks for
> performance comparison in relbench.
> (Of course, the format name should only be changed if both formats
> understand the same canonical hash representation and if ssh-ng doesn't
> produce false positives.)

ssh-ng *might* produce false positives (but it hasn't so far!) and
making ssh-ng understand old-style hashes requires more work (i.e.
patches welcome).

Hence, for now, it is better to treat them as separate formats.

> What am I missing here?

I hope that I have answered your questions. Thanks for the feedback.

-- 
Dhiru

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.