jhutz at cmu
Jan 14, 2008, 3:17 PM
Post #2 of 4
--On Wednesday, January 09, 2008 03:20:02 PM +0000 Simon Daniels
<S.Daniels [at] uel> wrote:
> However if I hash a password using the sha1pass script the resulting
> hashes don't work.
As of syslinux-3.53 (the latest I have lying around), the code in
com32/modules/menumain.c for checking sha1 passwords has a bug which causes
checking of salted passwords to fail. Specifically, it tries to fold the
salt into the hash before initing the hash context. I have attached a
patch (untested) which should fix this problem.
> I notice I get a different hash every time when using the same arg. Is
> this correct?
That's correct. The string between the second and third $ characters is a
"salt", which is a chunk of random data included in the hash to make it
more difficult to determine the password by keeping a dictionary of
passwords and the strings they hash to. To get the same string back, you
can give the hash as an additional argument to sha1pass:
./sha1pass 1234567890 9qj4qv8g
> I can't get the MD5pass script to run as it's missing a lib but running
> cpan install Digest::MD5 reports that my MD5 is up to date?
Is there a question here? We can't help you get md5pass working if you
don't tell us what error messages you got.
-- Jeffrey T. Hutzelman (N3NHS) <email@example.com>
Carnegie Mellon University - Pittsburgh, PA