pwgen's seeding looks insecure
RW
fbsd06 at mlists.homeunix.com
Mon Jan 8 21:18:29 UTC 2007
On Mon, 8 Jan 2007 10:56:50 -0800
Garrett Cooper <youshi10 at u.washington.edu> wrote:
> On Jan 8, 2007, at 10:36 AM, Dan Nelson wrote:
>
> > In the last episode (Jan 08), RW said:
> >> Someone recently recommended sysutils/pwgen for generating user
> >> passwords. Out of curiosity I had a look at how it works, and I
> >> don't like the look of its PRNG initialization:
> >>
> >>
> >> #ifdef RAND48
> >> srand48((time(0)<<9) ^ (getpgrp()<<15) ^ (getpid()) ^ (time(0)
> >> >>11));
> >> #else
> >> srand(time(0) ^ (getpgrp() << 8) + getpid());
> >> #endif
> >>
> >> If pwgen is called from an account creation script, time(0) can be
> >> inferred from timestamps, e.g. on a home-directory, so that just
> >> leaves
> >> getpid() and getpgrp(). PIDs are allocated sequentially and
> >> globally,
> >> so getpid() is highly predictable. I don't know much about
> >> getpgrp(), but from the manpage it doesn't appear to be any better.
> >
> > Even better: make RANDOM() call random() instead of rand()
I wasn't suggesting the use of getpgrp(), it's one of the existing three
sources of entropy . The other two sources are can be inferred by any
user (assuming that pwgen is run close to the point at which the
account is created). What I was wondering is how much secure entropy
there is in getpgrp() alone.
I just wrote a little test program, and getpgrp() seems to return the
same number as getpid. If I haven't screwed-up and that is generally
correct, then any user can log PIDs verses time and find the password
of a newly created account from the datestamp of its home directory,
within a few attempts.
More information about the freebsd-questions
mailing list