On Mon, 31 Aug 1998, Mark A. Heilpern wrote:
> At 05:53 AM 8/31/98 -0700, you wrote:
> >anyone know how to unencrypt? please share.
>
> If the encryption mechanism is the standard unix crypt()
> function, you can try a dictionary search to guess at
> the password key, or you can do a brute force search which
> covers up to 8 characters.
[snip]
There's a nice program called Crack that does this. Check out the
tools dir on cert's ftp site.
Unfortunately, Circle only uses the first ten characters (including
the salt) of the encrypted password. Hacking Crack's source to
handle the truncated passwords should work, or just change
MAX_PWD_LENGTH in structs.h to something sensible.
(Slight digression: How about officially changing the player file
format to include the circlemud_version number at the beginning
of the file? That would make it possible to change things like
MAX_PWD_LENGTH between distributions and then automatically
read/convert player files. If there's no version number assume
the file is in the pre-version number format.)
Also on cert's ftp site is a library called Cracklib which detects
easily guessable passwords. It's easy to code Circle to use it, but
here's some easy to follow instructions just in case:
1) Download and install Cracklib.
(Note: Cracklib is installed in many Linux distributions.
You probably already have it :)
2) Edit the Makefile to include -lcrack
(Note: If you configure again you'll have to redo this change)
3) In conf.h add a line like this after the CIRCLE_CRYPT part:
/* Define if using cracklib */
#define CIRCLE_CRACK 1
4) In sysdep.h after the HAVE_CRYPT_H add something like this:
#ifdef CIRCLE_CRACK
#include <crack.h>
#endif
5) At the very end of utils.h add a #define for CRACKDICT_PATH.
It should be the path to the Cracklib dictionaries. See the
Cracklib documentation for more info.
6) Finally, make the following changes to nanny() in interpreter.c:
---BEGIN CODE---
case CON_NEWPASSWD:
case CON_CHPWD_GETNEW:
+#if defined(CIRCLE_CRACK) && defined (CIRCLE_CRYPT)
+ *buf = '\0';
+ if (strlen(arg) > MAX_PWD_LENGTH)
+ sprintf(buf, "\r\nIllegal password: password too long");
+ else if (!str_cmp(arg, GET_NAME(d->character)))
+ sprintf(buf, "\r\nIllegal password: don't use your own name");
+ else {
+ str = FascistCheck(arg, CRACKDICT_PATH);
+ if (str)
+ sprintf(buf, "\r\nIllegal password: %s", str);
+ }
+
+ if (*buf) {
+ SEND_TO_Q(buf, d);
+ SEND_TO_Q("\r\nPassword: ", d);
+ return;
+ }
+ #else
if (!*arg || strlen(arg) > MAX_PWD_LENGTH || strlen(arg) < 3 ||
!str_cmp(arg, GET_NAME(d->character))) {
SEND_TO_Q("\r\nIllegal password.\r\n", d);
SEND_TO_Q("Password: ", d);
return;
}
+ #endif
---END CODE---
Encrypting player's passwords only provides the slightest amount of
protection since access to a Circlemud's playerfile usually means
your security is shot anyhow. Why crack the password when you've
got the mudpasswd util? :)
+------------------------------------------------------------+
| Ensure that you have read the CircleMUD Mailing List FAQ: |
| http://democracy.queensu.ca/~fletcher/Circle/list-faq.html |
+------------------------------------------------------------+
This archive was generated by hypermail 2b30 : 12/15/00 PST