|
Message-ID: <20140722163254.GA10778@openwall.com> Date: Tue, 22 Jul 2014 20:32:54 +0400 From: Solar Designer <solar@...nwall.com> To: john-users@...ts.openwall.com Subject: Re: OpenVMS support? On Tue, Jul 22, 2014 at 01:59:53PM +0200, Frank Dittrich wrote: > On 07/22/2014 01:14 AM, Mark Grace wrote: > > We're in the process of migrating from and OpenVMS system to AIX and we have a need to not change passwords. Therefore I've been using JtR to retrieve the passwords. > > It is just not realistic to assume you'll be able to crack all the > passwords. > > But may be there's another option. > Apparently, AIX supports PAM: > http://www.ibm.com/developerworks/aix/library/au-aixpluggable/index.html?ca=dat > > Not sure whether you can really use this to add your own password hash > algorithms, but if you can: Yes, PAM can be used to add custom password hashing schemes, as long as no relevant services or apps bypass PAM (some might!) AIX also supports Loadable Password Algorithms (LPAs), which are lower level than PAM and are actually intended for the purpose, so I think are less likely to be bypassed - but I haven't seen any information on writing a custom LPA. https://www.ibm.com/developerworks/community/blogs/cgaix/entry/aix_support_for_passwords_greater_than_8_characters1?lang=en > The vms_fmt_plug.c has this info in the comment at the top: > "Redistribution and use in source and binary forms, with or without > modifications, are permitted." > > So, you could use this to implement an OpenVMS password hash algorithm > for AIX, and just migrate the hashes without converting them. > > Even if you do, I would only use this solution temporarily, and switch > to a more secure hash algorithm supported by AIX, then finally drop > supporting OpenVMS hashes. Per the table at the URL above, AIX includes support for "Blowfish" (bcrypt) in one of its standard LPAs, so that's what should be used for new passwords, as well as for passwords that were cracked from their OpenVMS hashes. Other password hashing schemes supported by AIX as standard are inferior to bcrypt. Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.