bugat.at

NT MD4 password hash as new password encryption method for FreeBSD


Idea: Michael Bretterklieber
Implementation: Michael Ranner, Michael Bretterklieber

This is a simple proposal to add support for NT MD4 password hashes to crypt(3).

NT MD4 password hashes are more insecure than the standard FreeBSD MD5 based password crypt or the much more stronger blowfish based encryption. Why are you/we so nut to use NT password hashes? The answer is very simple:

If you like to authenticate dialin users (ppp, pptp) with CHAP you need the plaintext password on the server and therefore its not possible to store the passwords in the systems master.passwd. Using PAP is a bad idea, because the passwords are transmitted as plaintext over the net. MS-CHAP solves this problem by using hashed passwords (md4).

With MS-CHAP and our modification to crypt(3) its not longer necessary to store plaintext secrets on your server!

But we think there are many more advantages:

  1. Only one user database (password can easily changed by the user himself).
  2. MS-CHAP can used, without storing the plaintext passwords on the server.
  3. SAMBA can modified to use directly the master.passwd and not his own smbpasswd.
  4. Samba can use NIS for encrypted passwords on FreeBSD.

Disadvantages:

  1. No salt is used, users with same passwords have the same hash
FreeBSD already supports different encryption methods (MD5, Blowfish, DES), so it was easy to add this method (new type $3). It can be configured via login.conf (:passwd_format=nth:).
here are the patches: libcrypt.diff, crypt-nthash.c 
cp crypt-nthash.c /usr/src/lib/libcrypt
cd /usr/src/lib/libcrypt
patch < libcrypt.diff
make
make intall
cd /usr/src/usr.bin/passwd
make 
make install
And here are patches for mpd, with these patches mpd uses the master.passwd for passwords, if a '*' is specified in the mpd.secret in the password field. This works with all encryption methods if PAP is used, if the password is a NT-Hash MS-CHAP also works. CHAP doesen't work at all, because you need the plaintext password.
mpd-pwd.diff

Patches for SAMBA can downloaded here


BSD Usergroup Austria