01:34.49 | *** join/#ubuntu-us-ut gunny (n=gunny@76.8.222.141) |
01:58.46 | *** join/#ubuntu-us-ut gunny1 (n=gunny@76.8.222.141) |
01:59.04 | *** part/#ubuntu-us-ut gunny1 (n=gunny@76.8.222.141) |
02:01.06 | *** join/#ubuntu-us-ut gunny (n=gunny@76.8.222.141) |
02:28.15 | *** join/#ubuntu-us-ut Claud-SLC (n=hot@166-70-187-9.ip.xmission.com) |
02:37.57 | *** part/#ubuntu-us-ut gunny (n=gunny@76.8.222.141) |
03:30.35 | tonedevf | i opened up the cardboard sleeve of a printed ubuntu CD that someone gave me and out fell a business card for an Aaron Topance. has anyone ever heard of this guy? |
03:31.14 | tonedevf | i didn't realize eightyeight == atopance |
03:31.33 | Zelut | tonedevf: hehe yeah |
03:31.47 | Zelut | tonedevf: he and I stuffed our cards in all the CD shipments |
03:31.48 | eightyeight | s/pance/ponce/ |
03:32.17 | tonedevf | Aaron Fancypance |
03:32.22 | tonedevf | ; ) |
03:32.25 | tonedevf | sorry |
03:32.29 | tonedevf | right on |
03:32.34 | eightyeight | heh |
03:32.34 | eightyeight | np |
03:32.53 | tonedevf | so can i ask Zelut and eightyeight a question that's been buggin me for a while? |
03:33.03 | eightyeight | sure |
03:33.26 | Zelut | may not answer, but you can ask. |
03:33.28 | tonedevf | without using a directory, how can i keep accounts and passwords synced across two systems? |
03:33.53 | tonedevf | copying the entries in /etc/passwd and /etc/shadow doesn't work |
03:34.08 | eightyeight | ldap? |
03:34.16 | Zelut | eightyeight: without a directory server |
03:34.32 | eightyeight | or is that the 'without a directory' clause? |
03:34.34 | eightyeight | ahh |
03:34.35 | tonedevf | but i'd like it to be that simple, if possible, even it was slightly less secure. |
03:34.49 | tonedevf | without a directory, right |
03:35.04 | eightyeight | so, no directory, and no copying the /etc/passwd and /etc/shadow? |
03:35.17 | Zelut | just two accounts? too hard to just create the two and be done? |
03:35.23 | tonedevf | no no, i *can* copy the passwd / shadow files. |
03:35.31 | tonedevf | what i meant was that doing so does not work |
03:35.31 | Zelut | I can understand piles of accounts.. |
03:35.34 | tonedevf | ... in my testing |
03:35.50 | eightyeight | oh. i see |
03:35.51 | tonedevf | the account comes accross but the password does not work |
03:36.05 | tonedevf | ...and has to be reset |
03:36.09 | eightyeight | yeah. the password won't. that's because a salt is getting in the way |
03:36.20 | eightyeight | which is system-specific |
03:36.26 | tonedevf | that's what i thought. is there a way i can sync the salt on both boxes? |
03:36.37 | tonedevf | where does that salt live? |
03:36.50 | Zelut | at work we use a central hash when we create accounts so the passwords are all the same by default. |
03:37.22 | tonedevf | that sounds like what i'm after, Zelut. how do i pull that off? |
03:37.28 | eightyeight | tonedevf: iirc, the salt is based on the timestamp of the computer, but don't take me to the bank on that |
03:38.06 | tonedevf | 'timestamp of the computer'? you mean like when the system was installed? |
03:38.16 | eightyeight | no, like the current epoch |
03:38.34 | eightyeight | same thing as a seed with random numbers |
03:38.40 | tonedevf | how would that work? that would mean the salt keeps changing |
03:39.02 | eightyeight | again, don't take my word for it. i could by way off |
03:39.07 | tonedevf | ...but the hash stored in shadow is constant, i thought |
03:39.33 | eightyeight | tonedevf: create two accounts with the same password, and notice the hash. they're completely different |
03:39.41 | tonedevf | i'm glad to know that my suspicion is at least in the ballpark. |
03:40.08 | tonedevf | right |
03:40.20 | eightyeight | maybe it's bassed on the name? same name provides the same hash? |
03:40.34 | tonedevf | the host name? |
03:40.55 | eightyeight | hmm. can't create users with the same name |
03:41.03 | tonedevf | what Zelut described is what i'm after. i've heard from xmission employees that they do something similar too |
03:41.31 | tonedevf | ...meaning xmission doesn't use a directory internally for their staff accounts |
03:41.32 | eightyeight | Zelut: i'm intrigued as well |
03:42.39 | Zelut | one min |
03:45.48 | eightyeight | hits the sack. it's midnight where he's at |
03:47.40 | tonedevf | gnight eightyeight |
04:50.47 | *** join/#ubuntu-us-ut |phoenyx| (n=|phoenyx@97-117-67-119.slkc.qwest.net) |
04:53.34 | tonedevf | i'm heading to bed myself, Zelut. I won't let you off the hook though ; ) Thanks in advance and sleep well. |
10:27.45 | *** join/#ubuntu-us-ut whiteinge (n=whiteing@166-70-191-39.ip.xmission.com) |
14:00.03 | *** join/#ubuntu-us-ut thaddeusq (n=thaddeus@216.49.181.128) |
14:38.53 | eightyeight | http://usshop.ubuntu.com |
14:40.39 | *** mode/#ubuntu-us-ut [+o eightyeight] by ChanServ |
14:40.41 | *** topic/#ubuntu-us-ut by eightyeight -> http://utah.ubuntu-us.org | Next Meeting: Nov 8th - Release Party | Dec 13th Meeting - Beginning to Advanced Irssi - eightyeight | http://usshop.ubuntu.com |
14:40.44 | *** mode/#ubuntu-us-ut [-o eightyeight] by ChanServ |
14:49.01 | *** join/#ubuntu-us-ut Yorokobi (n=Colby@unaffiliated/yorokobi) |
14:51.56 | eightyeight | synic: nameservers added |
15:07.17 | Zelut | eightyeight: tonedevf: this is how I do it |
15:07.54 | Zelut | useradd -p 'INSERT HASH HERE' |
15:08.21 | Zelut | we have a central list of accounts + hashes, and when someone needs an account on a new box we useradd -p 'THEIRHASH' |
15:08.34 | Zelut | now, these are on RHEL/CentOS so YMMV |
15:08.50 | eightyeight | where do you get the hash? |
15:09.46 | Zelut | copied from the /etc/passwd upon first creation of the account. |
15:10.16 | Zelut | so you should be able to copy/paste your current hash on one machine, create a user on a second machine and use the same hash |
15:10.17 | *** join/#ubuntu-us-ut undertakingyou (n=will@undertakingyou.dsl.xmission.com) |
15:10.22 | eightyeight | ahh |
15:10.56 | tonedevf | do you mean grab the hash from the /etc/shadow? |
15:11.06 | Zelut | yeah, thats what I meant. |
15:11.18 | tonedevf | interesting |
15:12.02 | Zelut | now useradd and adduser work differently on ubuntu vs RHEL so it may require some tweaking. |
15:12.47 | tonedevf | useradd is the script on top of adduser, or the other way around? |
15:13.11 | Zelut | on ubuntu useradd doesn't do everything adduser does |
15:13.40 | Zelut | its still possible, you'll just need to use more of the - options. ie; create home folder, group, shell assignment, etc. |
15:18.33 | eightyeight | on ubuntu, useradd just adds you to /etc/passwd |
15:19.54 | eightyeight | adduser, however, creates your home folder, copies everything from /etc/skel/ to your home folder, sets the appropriate owner, group and permissions on your home folder, creates your user private group, adds you to your group, adds you to /etc/shadow, and /etc/gshadow |
15:25.08 | *** join/#ubuntu-us-ut |phoenyx| (n=|phoenyx@70.102.172.126) |
15:29.27 | tonedevf | good to know |
15:30.00 | tonedevf | in the /etc/shadow file, is "$1$" part of the hash? and does the hash include everything up to the next ":"? |
15:30.21 | eightyeight | that tells who what made the hash. in that case, md5 |
15:31.47 | tonedevf | so everything AFTER the second $ and before the next : ? |
15:32.45 | eightyeight | yes |
15:32.54 | eightyeight | actually |
15:33.22 | eightyeight | between $ and the ., i believe is the salt, or describes it, or somehow related |
15:33.27 | eightyeight | then after the . is your hash |
15:35.19 | tonedevf | i don't see any ., not all the entries even have a . |
15:35.47 | eightyeight | you don't have anything like: |
15:36.02 | eightyeight | $1$oA0..Hm6$HRtOpXQU9PetTW7uQ2lvI1 |
15:36.09 | eightyeight | s/.././ |
15:36.20 | eightyeight | between the first : and second : |
15:36.33 | eightyeight | oh. heh |
15:36.42 | eightyeight | no '.' next $ |
15:36.58 | eightyeight | $1$oA0.Hm6$ |
15:37.30 | eightyeight | :$ hash-type $ salt-something-or-other $ hashed password : |
15:37.49 | tonedevf | okay, that looks more like what i'm seeing |
15:38.20 | tonedevf | so again, it's not JUST the hash that need to be the same, but the salt does too, right? |
15:38.42 | eightyeight | dunno. i'd like to study that, to know for sure |
15:39.03 | eightyeight | actually, now that i think about it, yes. you would need the salt |
15:39.43 | eightyeight | and that's why hashes change, because the salt changes, but it's listed there in the /etc/shadown file, so we apply the hash-alogrithm with their listed salt to produce the same hash everytime |
15:40.32 | tonedevf | which bring me back to ... why didn't it just work to copy the entry from one /etc/shadow to another? |
15:40.45 | eightyeight | supported hash types? |
15:40.59 | eightyeight | googles |
15:41.11 | tonedevf | i'm messing around with useradd -p and all it seems to be doing is inserting the string i provide into the /etc/shadow file between the 1st and 2nd : |
15:41.35 | tonedevf | i'm seeing native account on both machines starting with $1$ |
15:44.27 | eightyeight | i guess there would be two things going through my mind, as to why it's not working |
15:44.46 | eightyeight | first would be pam. is pam calling md5 or blowfish or something else to create the hash? |
15:45.30 | eightyeight | second would be the structure of the salt, and if how it's used |
15:46.05 | eightyeight | i know that opensuse 11 uses blowfish on shadow passwords by default, whereas most the rest of the linux community is using md5 |
15:46.12 | eightyeight | but it's trivial to change pam to do any of them |
15:48.43 | tonedevf | w3wt!! it worked |
15:49.28 | tonedevf | useradd -p 'everythingbetween1stand2ndcolon' |
15:49.43 | Zelut | yeah thats the hash part. |
15:49.49 | tonedevf | single quotes, of course. including the has type and salt is required |
15:50.10 | tonedevf | it's more than the hash though, that's what threw me |
15:50.33 | tonedevf | type$salt$hash, but i guess that makes more sense now that i understand it |
15:50.39 | tonedevf | thanks, Zelut! |
15:50.41 | eightyeight | i guess i should Use The Source Luke. i can't find anything on the google machine, showing me the hash types in the shadow password, including the salt |
15:53.56 | eightyeight | ok, we were right. |
15:54.01 | eightyeight | 1) generate a salt |
15:54.14 | eightyeight | 2) hash the plain text password with the hashing algo and the salt |
15:54.37 | eightyeight | 3) place all three in the form of $HASH$SALT$PASS |
15:54.52 | tonedevf | nods |
15:55.52 | tonedevf | thanks for working through that with me. amazing how long it took to find an answer... i guess most the time was spent finding the right question to ask. |
15:56.41 | eightyeight | $1$ - MD5 |
15:56.46 | eightyeight | $2$ - blowfish |
15:56.53 | eightyeight | $2a$ - blowfish |
15:57.11 | eightyeight | $5$ or $6$ - SHA |
16:00.32 | eightyeight | if $ $ $ is missing all together, then DES was used |
16:02.48 | eightyeight | $5$ is sha256 |
16:02.53 | eightyeight | $6$ is sha512 |
16:04.44 | eightyeight | cool. that was fun |
16:04.47 | eightyeight | thx tonedevf |
16:13.31 | tonedevf | thank you, eightyeight ; ) |
16:13.43 | tonedevf | good info on the hashs, btw |
16:18.42 | eightyeight | http://search.cpan.org/~zefram/Authen-Passphrase-0.005/lib/Authen/Passphrase.pm#CONSTRUCTORS |
16:18.49 | eightyeight | sad that perl comes to the rescue. :) |
16:19.11 | tonedevf | somehow that's not surprising though ; ) |
16:19.28 | eightyeight | http://people.redhat.com/drepper/SHA-crypt.txt describe 5 and 6 |
20:10.48 | *** join/#ubuntu-us-ut thenetduck (n=tikiman@c-71-199-29-114.hsd1.ut.comcast.net) |
20:10.53 | thenetduck | hey anyone in? |
20:17.55 | thenetduck | can anyone answer some questions I have about full disk encryption? |
20:42.56 | Heartsbane | what kinda questions |
20:47.11 | thenetduck | hey Heartsbane ... ok I an going to install Hardy today(just got my computer back) and will have a / /home /opt parition |
20:47.31 | thenetduck | I wanna be able to encrypt /home /tmp and my swap |
20:47.40 | thenetduck | should I encrypt everything? |
20:48.02 | thenetduck | Also, will I be able to upgrade to 8.10 with ease without re-formatting everything? |
20:50.42 | Heartsbane | I would encrypt everything... as far as updating... I have no idea |
20:51.23 | Heartsbane | you might want to ask in #ubuntu+1 |
20:51.41 | Heartsbane | that is the intrepid ibex channel |
20:52.15 | Heartsbane | but I think you will be fine |
21:33.08 | Zelut | eightyeight: man I love how easy it is in openbox to create shortcuts |
21:45.22 | thenetduck | do tell more .... |
21:56.23 | *** join/#ubuntu-us-ut Technoviking (n=mike@ubuntu/member/Technoviking) |
22:29.45 | *** join/#ubuntu-us-ut bigfox (n=bigfox@ecelab28.ece.utah.edu) |
22:55.33 | *** join/#ubuntu-us-ut |phoenyx|_ (n=|phoenyx@70.102.172.126) |
23:45.02 | *** part/#ubuntu-us-ut bigfox (n=bigfox@ecelab28.ece.utah.edu) |