> > I wouldn't use any cleartext password-collecting trojans until there is a
> > pale distant light of reaching success another way. I'm just busy enough
> > to keep these trojans away from our systems.
>
> I meant to write your own for this one specific administrative
> purpose. iPlanet only supports {crypt} (which is too weak to be
> used, imho), and {sha}. There is no way to convert md5 from linux
> password files to sha, unless you learn how to factor large numbers
> quickly. Of course, if you can do that then you will be a rich man
> and no longer need to be fooling around with email systems.
As for now there is no known decryption of crypt, although you're right, it's
much weaker than MD5 or SHA. I think, crypt is OK for now inside a protected
directory. However, letting anybody read a hashed password is a security
hazard, independently from the hashing algorithm.
Iplanet supports crypt, SHA and salted SHA (SSHA) for password hashing. I
lack MD5 very badly. It's probably a consequence of Sun's Linux 'support'.
Well, I know that security can easily be a subject of a new flame war, in
which I don't want to contribute. So that's all from me.
Kristof
PS: Just to make it clear (I think the original question was about that):
there is no (known) way to convert passwords from one hash (crypt, etc) to
another. If you really-really need to, then (and I think only then) you have
to steal the plain passwords like hackers do (a bit easier, you are root).
I'd talk to my lawyer first, however :o).
