[Tiger-devel] gen_passwd_sets and MD5 passwords for Linux

[Nicolas François]

Hello,

In the 'zappasswd' function of 'systems/Linux/2/gen_passwd_sets', MD5
passwords are recognized by this case pattern:
# For MD5 passwds (35 chars) starting with $1$ (Linux)
 
\$1\$[a-zA-Z0-9\.$/][a-zA-Z0-9\.$/][a-zA-Z0-9\.$/][a-zA-Z0-9\.$/][a-zA-Z0-9\.$/][a-zA-Z0-9\.$/][a-zA-Z0-9\.$/][a-zA-Z0-9\.$/][a-zA-Z0-9\.$/][a-zA-Z0-9\.$/][a-zA-Z0-9\.$/][a-zA-Z0-9\.$/][a-zA-Z0-9\.$/][a-zA-Z0-9\.$/][a-zA-Z0-9\.$/][a-zA-Z0-9\.$/][a-zA-Z0-9\.$/][a-zA-Z0-9\.$/][a-zA-Z0-9\.$/][a-zA-Z0-9\.$/][a-zA-Z0-9\.$/][a-zA-Z0-9\.$/][a-zA-Z0-9\.$/][a-zA-Z0-9\.$/][a-zA-Z0-9\.$/][a-zA-Z0-9\.$/][a-zA-Z0-9\.$/][a-zA-Z0-9\.$/][a-zA-Z0-9\.$/][a-zA-Z0-9\.$/][a-zA-Z0-9\.$/][a-zA-Z0-9\.$/])

(the magic "$1$" and 32 times a char from [a-zA-Z0-9\.$/])

For gen_passwd_sets revisions prior to 1.4, the case pattern contained
only 34 chars, but the comment "# For MD5 passwds (35 chars) starting with
$1$ (Linux)" comes from the initial revision.

AFAIK, MD5 passwd are only 34 chars. (It is the case for all the Linux
/etc/shadow I checked).


According to man crypt:
GNU EXTENSION
  The glibc2 version of this function has the following  additional  fea-
  tures.   If  salt is a character string starting with the three charac-
  ters "$1$" followed by at most eight characters, and optionally  termi-
  nated  by  "$",  then instead of using the DES machine, the glibc crypt
  function uses an MD5-based algorithm,  and  outputs  up  to  34  bytes,
  namely  "$1$<string>$", where "<string>" stands for the up to 8 charac-
  ters following "$1$" in the salt, followed by 22 bytes chosen from  the
  set [a-zA-Z0-9./].  The entire key is significant here (instead of only
  the first 8 bytes).

Does this means that the encrypted password can be less than 34 chars ?
Does the "\$1\$[a-zA-Z0-9./]{0,8}\$[a-zA-Z0-9./]{22}" regex should be
used?

By the way, does anybody know how to use a shorter bash case pattern?
(I'm dreaming of something like '\$1\$[a-zA-Z0-9./]{31}').

hth
-- 
Nekral