none
CRYPT(3) replacement RRS feed

  • Question

  • Hello,

    I'm writing a script to change passwords on different servers: windows, red hat, Solaris, ...

    For windows it is easy (thank you PowerShell) but for unix/linux it is harder.

    I'm looking to find a replacement for the command CRYPT(3) from linux manual page 

    can anyone help me with this?

    Thank you in advance

    Friday, October 31, 2014 11:40 AM

Answers

  • Can't be done the way you think of it. The password has to be encrypted on the remote server.  It has nothing to do with windows.

    you must encrypt on the unix system.

    Sorry.

    Actually none of what you are doing makes any sense.  You cannot GET the remote password and decrypt it.  It is stored as a one-way encryption.  YOu can use the Unix utilities to decrypt on the Unix box only if it is stored as a reversible encoding.

    I suggest posting your issue in the Unix forum and let the Unix guys explain this to you.


    ¯\_(ツ)_/¯

    • Marked as answer by den.duez Friday, October 31, 2014 12:16 PM
    Friday, October 31, 2014 12:15 PM

All replies

  • Sorry but you are asking in the wrong forum.  Your question is not about scripting.  Try searching the net for an answer.  You will get farther.


    ¯\_(ツ)_/¯

    Friday, October 31, 2014 11:53 AM
  • ok sorry
    thank you
    Friday, October 31, 2014 11:54 AM
  • Here - it took me less than 30 seconds: http://stackoverflow.com/questions/4706124/how-to-use-crypt3-in-windows


    ¯\_(ツ)_/¯

    Friday, October 31, 2014 11:55 AM
  • This is not what i mean, sorry

    What I do so far is the following

    1. Ping the server
    2. if connection
    3. check if it is a windows server
    4. if not
    5. set up ssh with the server
    6. change the password

    now for most UNIX systems you can use the command "echo root:${newPassword} | chpasswd"

    but for Solaris you have to change the /etc/shadow file

    So i need an encrypted password first. I did this by asking the server in question to give me the encrypted password for a string.
    This works as long as there are no special characters involved like @ of #

    [String]$commandGetPassword = "perl -e 'print crypt("+'"' + $newPassword +'", "userTo")'+"'"
                
    $returnValueGetPassword = Invoke-SSHCommand -SSHSession $newSshSession -Command $commandGetPassword
    so i want to run the encryption on the windows machine inside of PowerShell if this is possible without the need to install stuff

    Friday, October 31, 2014 12:07 PM
  • Can't be done the way you think of it. The password has to be encrypted on the remote server.  It has nothing to do with windows.

    you must encrypt on the unix system.

    Sorry.

    Actually none of what you are doing makes any sense.  You cannot GET the remote password and decrypt it.  It is stored as a one-way encryption.  YOu can use the Unix utilities to decrypt on the Unix box only if it is stored as a reversible encoding.

    I suggest posting your issue in the Unix forum and let the Unix guys explain this to you.


    ¯\_(ツ)_/¯

    • Marked as answer by den.duez Friday, October 31, 2014 12:16 PM
    Friday, October 31, 2014 12:15 PM
  • Here is how we do the same thing on a WIndows machine.

    $ss|ConvertFrom-SecureString
    $ss=ConvertTo-SecureString -String MyTextPassword -AsPlainText -Force

    The encrypted string is NOT portable.  It is only usable on the box it was created on.

    The Crypto API can encrypt in most portable formats but portable formats generally require a certificate.

    Your SSL connection uses a remote cert on the Unix box to encrypt the connection.  The same is true for HTTPS.  That is because they require a shared key and the target of the connection controls the encryption which eliminates the need for the client to have a copy of the certificate or the passkey.  TH client uses the host cert and a shared temporary key sent over the secured channel.

    password encryption is not a shared key.  We create a secure channel first then send a plain text password.  In Windows on a  domain the password is actually sent encrypted over a secure channel and blindly applied to the password manager.  If the password validates a token is allocated and there is no more password with further authentication.

    I am not up to date on how Linux currently handles this.  It used to just keep the passwords in a file that was protected and later encrypted.  Most corporate Unix implementations now use Kerberos which is what Windows uses in a domain.


    ¯\_(ツ)_/¯

    Friday, October 31, 2014 12:28 PM