On 2014-02-21 9:24, Matthew Weigel wrote:
On 2014-02-21 5:09, Joel Carnat wrote:
Here is a short
script that should run fine on a stock OpenBSD machine to generate a
bcrypt hash suitable for the userPassword attribute of ldapd.
Nope nope nope. That script is incorrect in a couple of ways. Most
significantly it leaks the first two bits of the user's password,
because I didn't understand how to pass the salt correctly. I don't
know if anyone actually WANTS a corrected version of the script, but I
can't leave the uncorrected one out there.
#! /usr/bin/perl
use strict;
while(<>) {
my $salt = '';
my $new_pw = $_;
chomp($new_pw);
my @chars = split //,
"./ABCDEFGHIJKLMN" .
"OPQRSTUVWXYZabcd" .
"efghijklmnopqrst" .
"uvwxyz0123456789";
for (my $i = 0; $i < 21; $i++) {
$salt .= $chars[int(rand($#chars+1))];
}
$salt .= $chars[int(rand(4))*16];
my $rnd_salt = '$2a$08$' . $salt;
my $hash = crypt($new_pw, $rnd_salt);
print("$hash\n");
}
--
Matthew Weigel
hacker
unique & idempot . ent