ntop uses the standard crypt() function provided by the OS.
crypt() is required part of the single Unix specification, but the details
are implementation dependent. See:
http://www.opengroup.org/onlinepubs/007908799/xsh/crypt.html.
Never-the-less, whatever the limitations of crypt() are, that what ntop's
limits are. Unfortunately, there's no way to tell programmatically what
these limits are, you have to refer to the man page, e.g. (Fedora Core 3
Linux) - here you need to read the 4th paragraph of the DESCRIPTION clause:
CRYPT(3) Library functions
CRYPT(3)
NAME
crypt - password and data encryption
SYNOPSIS
#define _XOPEN_SOURCE
#include <unistd.h>
char *crypt(const char *key, const char *salt);
DESCRIPTION
crypt is the password encryption function. It is based on the Data
Encryption Standard algorithm with variations
intended (among other things) to discourage use of hardware
implementations of a key search.
key is a user's typed password.
salt is a two-character string chosen from the set [a-zA-Z0-9./].
This string is used to perturb the algorithm in
one of 4096 different ways.
By taking the lowest 7 bits of each of the first eight
characters of the key, a 56-bit key is obtained. This
56-bit key is used to encrypt repeatedly a constant string (usually
a string consisting of all zeros). The
returned value points to the encrypted password, a series of 13
printable ASCII characters (the first two charac-
ters represent the salt itself). The return value points to static
data whose content is overwritten by each call.
Warning: The key space consists of 2**56 equal 7.2e16 possible
values. Exhaustive searches of this key space are
possible using massively parallel computers. Software, such as
crack(1), is available which will search the por-
tion of this key space that is generally used by humans for
passwords. Hence, password selection should, at mini-
mum, avoid common words and names. The use of a passwd(1) program
that checks for crackable passwords during the
selection process is recommended.
The DES algorithm itself has a few quirks which make the use of the
crypt(3) interface a very poor choice for any-
thing other than password authentication. If you are planning on
using the crypt(3) interface for a cryptography
project, don't do it: get a good book on encryption and one of the
widely available DES libraries.
RETURN VALUE
A pointer to the encrypted password is returned. On error, NULL is
returned.
ERRORS
ENOSYS The crypt function was not implemented, probably because of
U.S.A. export restrictions.
GNU EXTENSION
The glibc2 version of this function has the following additional
features. If salt is a character string starting
with the three characters "$1$" followed by at most eight
characters, and optionally terminated by "$", then
instead of using the DES machine, the glibc crypt function uses an
MD5-based algorithm, and outputs up to 34 bytes,
namely "$1$<string>$", where "<string>" stands for the up to 8
characters following "$1$" in the salt, followed by
22 bytes chosen from the set [a-zA-Z0-9./]. The entire key is
significant here (instead of only the first 8
bytes).
Programs using this function must be linked with -lcrypt.
CONFORMING TO
SVID, X/OPEN, BSD 4.3, POSIX 1003.1-2001
SEE ALSO
login(1), passwd(1), encrypt(3), getpass(3), passwd(5)
The "GNU EXTENSION" piece implies that changing the salt ntop uses would
allow longer passwords. That's set via CONST_CRYPT_SALT in
globals-defines.h, but AFAIK this hasn't been tested.
Sounds like a good addition to the FAQ...
-----Burton
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Alexander
Sent: Thursday, September 22, 2005 4:16 AM
To: [email protected]
Subject: [Ntop-dev] ntop checks only first eight symbols in password,the
rest is ignored
Hi!
Here is the description of the problem I'm expecting.
I'm starting ntop:
# ntop --sticky-hosts --max-table-rows=0 --create-suspicious-packets
--refresh-time=60 --http-server=0 --https-server=443 --no-fc
--no-invalid-lun --w3c
Trying to connect to https://my.ip.add.ress I'm being prompted for user and
password.
I'm entering the username, password... But everything after the eight symbol
in password is ignored!
I.E., we entering this:
user: admin
pass: password
Ntop accepts this and we are logged on.
Then we're reopening browser, trying to connect to https://my.ip.add.ress
again, and entering:
user: admin
pass: password_blablabla
And... We're logged in again!
So there only first eight symbols in password are checked. The rest is
ignored!
Tested on ntop-3.1 and ntop-3.2rc1 (cvs, 05.09.21), compiled from sources,
configured with '--prefix=/opt/ntop --enable-sslv3 --disable-ipv6' under
Mandrake Linux 10.0 (128M RAM, OpenSSL 0.9.7c 30 Sep 2003) and Slackware 9.0
(256M RAM, OpenSSL 0.9.8 05 Jul 2005).
Is this a bug? ...or a feature?
_______________________________________________
Ntop-dev mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-dev
_______________________________________________
Ntop-dev mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-dev
