--- makepasswd-1.10.orig/debian/changelog +++ makepasswd-1.10/debian/changelog @@ -0,0 +1,185 @@ +makepasswd (1.10-11) unstable; urgency=medium + + * Switch to git; update Vcs-* fields. + * Use /dev/urandom as intended and documented, not /dev/random + (LP: #1573974). + + -- Colin Watson Sat, 10 Feb 2018 02:04:29 +0000 + +makepasswd (1.10-10) unstable; urgency=low + + * Move debian/source.lintian-overrides to preferred location of + debian/source/lintian-overrides. + * Convert from Crypt::OpenSSL::Random to Bytes::Random::Secure (closes: + #792535). + + -- Colin Watson Thu, 16 Jul 2015 11:45:20 +0100 + +makepasswd (1.10-9) unstable; urgency=low + + * Fix output formatting when --clearfrom password is >= 12 characters + (thanks, Steven Van Acker; LP: #894739). + * Remove redundant debian/dirs file. + * Canonicalise Vcs-Bzr and Vcs-Browser URLs. + * Override debian-watch-file-is-missing Lintian message. + * Explicitly set source format to 1.0 for now. + * Policy version 3.9.4: no changes required. + + -- Colin Watson Mon, 27 May 2013 23:43:43 +0100 + +makepasswd (1.10-8) unstable; urgency=low + + * debian/copyright: Note that the upstream source location no longer + exists due to the upstream author's death some years ago (closes: + #660962). + + -- Colin Watson Wed, 07 Mar 2012 10:25:17 +0000 + +makepasswd (1.10-7) unstable; urgency=low + + * Remove Linux-specific text from the package description, the manual + page, and the copyright file (closes: #642410). + + -- Colin Watson Thu, 22 Sep 2011 15:11:39 +0100 + +makepasswd (1.10-6) unstable; urgency=low + + * Policy version 3.8.4: no changes required. + * Add CVE entry to previous changelog stanza. + * Send --help output to stdout, not stderr. + + -- Colin Watson Sat, 28 May 2011 09:31:32 +0100 + +makepasswd (1.10-5) unstable; urgency=low + + * Imported into a branch on bzr.debian.org; add Vcs-Bzr and Vcs-Browser + control fields. + * Use OpenSSL's random number generator, seeded with 256 bits of entropy + from /dev/urandom (CVE-2010-2247; closes: #564559). + + -- Colin Watson Mon, 22 Feb 2010 00:39:50 +0000 + +makepasswd (1.10-4) unstable; urgency=low + + * Upgrade to debhelper v7. + * Override a Lintian warning about syntax in an old changelog entry; I'm + not going to rewrite history for this. + * Policy version 3.8.2. No changes required. + * Use /dev/urandom rather than /dev/random, as the latter is overkill for + this and drains entropy too quickly (thanks, Ralf Hildebrandt; closes: + #307700). + * Increase default password length range from 6-8 characters to 8-10 + (closes: #23648). + + -- Colin Watson Fri, 14 Aug 2009 22:31:13 +0100 + +makepasswd (1.10-3) unstable; urgency=low + + * Open /dev/random with just the :unix layer to avoid draining it in + 4096-byte buffered chunks (closes: #320310). Requires perl 5.8 for + PerlIO. + * Use dh_installman rather than the deprecated dh_installmanpages. + * Remove SHELL=/bin/bash and other cruft in debian/rules. + * Upgrade to debhelper v4. + * Policy version 3.6.2. No changes required. + + -- Colin Watson Sun, 7 Aug 2005 17:48:40 +0100 + +makepasswd (1.10-2) unstable; urgency=low + + * New maintainer (closes: #192660). + * Acknowledge Javier's NMU; thanks! + * makepasswd: Fix --crypt-md5 passwords so that PAM actually accepts them, + using Crypt::PasswdMD5 (closes: #44788). --crypt-md5 can now be used + with --repeatpass. + * makepasswd: Document --crypt-md5 in --help output. + * debian/control (Description): Change "on the command line" (--clear) to + "in a temporary file" (--clearfrom). + * debian/control: Build-depend on debhelper (>= 3.0.18), per the Perl + policy. Move this from Build-Depends-Indep to Build-Depends since + Build-Depends-Indep doesn't have to be satisfied during clean. + * debian/rules: Modernize a bit. + * debian/control (Standards-Version): Bump to 3.6.1. + + -- Colin Watson Mon, 25 Aug 2003 05:05:43 +0100 + +makepasswd (1.10-1.1) unstable; urgency=low + + * Non-maintainer upload. + Since the rules have changed and this package has not + (since potato) I'm uploading to 0-delay. This upload will + not fix any RC bugs but at least will (almost) remove all + the bugs open for this package, and it didn't take me + much time to figure these out... + - Change program name so that the help text is displayed + properly (Closes: #147808) + - Now Build-Depends-Indep from debhelper (Closes: #190485) + (I'm not bumping up the Standards Version since this should + be revised by the maintainer) + - Using --clear now exits with error warning the user that + the option is no longer valid (Closes: #50885) + - Added 'use bytes' as suggested by reporter to be UTF-8 clean + (although I'm not sure if this bug applies any longer since + I cannot reproduce it, in any case, using that module + shouldn't, hopefully, break anything. (Closes: #168492) + - Generate MD5 passwords with the --crypt-md5 option (Closes: #44788) + + -- Javier Fernandez-Sanguino Pen~a Wed, 20 Aug 2003 02:40:37 +0200 + +makepasswd (1.10-1) unstable; urgency=low + + * New upstream version, now possible to pass the cleartext in a file, + closes: #31059. + * Corrected maintainer address (should be johnie@debian.org). + + -- Johnie Ingram Sat, 18 Sep 1999 03:23:37 -0500 + +makepasswd (1.07-3) unstable; urgency=low + + * Updated to Standards-Version: 3.0.1.0, closes: #41502. + + -- Johnie Ingram Mon, 30 Aug 1999 10:36:28 -0500 + +makepasswd (1.07-2.1) unstable; urgency=low + + * NMU for the perl upgrade. Closes: #41502 + * Changed the dependency: s/perl/perl5/ + * Upgraded standards-version to 2.5.1 + * Corrected the location of the GPL in the copyright file. + * Installed the man page instead of the undocumented link. + + -- Raphael Hertzog Wed, 21 Jul 1999 19:05:00 +0200 + +makepasswd (1.07-2) unstable; urgency=low + + * Correct debian/rules target (binary-indep) used. + * Switched from debmake to debhelper packaging technology. + * Updated to Standards-Version 2.5.0.0. + + -- Johnie Ingram Mon, 21 Dec 1998 15:55:46 -0500 + +makepasswd (1.07-1) unstable; urgency=low + + * New upstream version (which includes --string fix, cf. #15759) + * Added upstream changelog file and README. + * Now has pristine source archive. + + -- Johnie Ingram Mon, 9 Feb 1998 11:53:26 -0500 + +makepasswd (1.06-2) unstable; urgency=low, closes=15759 + + * Updated year and other details in copyright file. + * Patched makepasswd so --string support works (#15759). + * Updated to Standards-Version 2.4.0.0. + + -- Johnie Ingram Mon, 9 Feb 1998 10:59:50 -0500 + +makepasswd (1.06-1) unstable; urgency=low + + * Initial Release. + + -- Johnie Ingram Sun, 9 Nov 1997 04:30:59 -0500 + +Local variables: +mode: debian-changelog +End: --- makepasswd-1.10.orig/debian/compat +++ makepasswd-1.10/debian/compat @@ -0,0 +1 @@ +7 --- makepasswd-1.10.orig/debian/control +++ makepasswd-1.10/debian/control @@ -0,0 +1,16 @@ +Source: makepasswd +Section: admin +Priority: optional +Maintainer: Colin Watson +Build-Depends: debhelper (>= 7.0.1) +Standards-Version: 3.9.4 +Vcs-Git: https://salsa.debian.org/debian/makepasswd +Vcs-Browser: https://salsa.debian.org/debian/makepasswd + +Package: makepasswd +Architecture: all +Depends: ${misc:Depends}, ${perl:Depends}, perl (>= 5.8), libcrypt-passwdmd5-perl, libbytes-random-secure-perl +Description: Generate and encrypt passwords + Generates true random passwords using /dev/urandom, with the emphasis on + security over pronounceability. It can also encrypt plaintext passwords + given in a temporary file. --- makepasswd-1.10.orig/debian/copyright +++ makepasswd-1.10/debian/copyright @@ -0,0 +1,38 @@ +This package was debianized by Johnie Ingram (johnie@debian.org) +on Sun Nov 9 04:38:12 EST 1997. + +It was obtained from the author via IRC at irc.linpeople.org, and was once +also downloadable from +. As +of 2012, this site no longer exists. Since the upstream author passed away +some years ago (http://en.wikipedia.org/wiki/Rob_Levin), there is unlikely +to be a new upstream source location. + + +Copyright: + + Copyright (c) 1997-1998 by lilo . All rights are + reserved by the author. This program may be used under the terms of + version 2 of the GNU Public License. + +As has been my custom of late, this program is released under the terms of +GNU COPYING-2. Don't apply any other version of the GNU license to it. If +some legal precedent ends up biting us in the nose, write me and I'll tweak +the license accordingly. + +In that case, or in case you want to laud or castigate me for some imagined +slight, feel free to email me at lilo@linpeople.org. + + +lilo + + + + +Packaging for Debian is copyright (C) 1997-1999 Johnie Ingram, and +also released under the terms of the GPL -- version 2, or any later +version. + +On Debian systems, the text of the GPL can be found in +/usr/share/common-licenses/GPL. + --- makepasswd-1.10.orig/debian/docs +++ makepasswd-1.10/debian/docs @@ -0,0 +1 @@ +README --- makepasswd-1.10.orig/debian/install +++ makepasswd-1.10/debian/install @@ -0,0 +1 @@ +makepasswd usr/bin --- makepasswd-1.10.orig/debian/lintian-overrides +++ makepasswd-1.10/debian/lintian-overrides @@ -0,0 +1 @@ +makepasswd: syntax-error-in-debian-changelog --- makepasswd-1.10.orig/debian/manpages +++ makepasswd-1.10/debian/manpages @@ -0,0 +1 @@ +makepasswd.1 --- makepasswd-1.10.orig/debian/rules +++ makepasswd-1.10/debian/rules @@ -0,0 +1,3 @@ +#! /usr/bin/make -f +%: + dh $@ --- makepasswd-1.10.orig/debian/source/format +++ makepasswd-1.10/debian/source/format @@ -0,0 +1 @@ +1.0 --- makepasswd-1.10.orig/debian/source/lintian-overrides +++ makepasswd-1.10/debian/source/lintian-overrides @@ -0,0 +1,2 @@ +# No watch file possible; upstream author is deceased. +makepasswd source: debian-watch-file-is-missing --- makepasswd-1.10.orig/makepasswd +++ makepasswd-1.10/makepasswd @@ -4,7 +4,7 @@ # Program information. # -$Program = 'mkpasswd'; +$Program = 'makepasswd'; $Version = '1.10'; $Author = 'Rob Levin '; $Date = "Monday, 7 April 1999 at 22:56 (UCT)"; @@ -19,6 +19,8 @@ use Getopt::Long; use FileHandle; use integer; +use bytes; +use Bytes::Random::Secure; # # Set default values for options ("" to indicate not-specified). @@ -28,6 +30,7 @@ $Clear = ""; $Count = ""; $Crypt = 0; +$CryptMd5 = 0; $CryptSalt = ""; $MaxChars = ""; $MinChars = ""; @@ -43,8 +46,8 @@ # $Error = 0; -$CharMin = 6; -$CharMax = 8; +$CharMin = 8; +$CharMax = 10; $CharFormat = $CharMax + 3; $CountUsed = 1; $PasswordRepeat = 1; @@ -54,6 +57,7 @@ $RandSeed = 0; $RerandomCount = -1; $RerandomNow = 1; +$RNG = undef; $SeedValue = 0; # @@ -91,9 +95,11 @@ &GetOptions ( 'chars=i' => \$Chars, + 'clear=s' => \$OldClear, 'clearfrom=s' => \$Clear, 'count=i' => \$Count, 'crypt!' => \$Crypt, + 'crypt-md5!' => \$CryptMd5, 'cryptsalt=i' => \$CryptSalt, 'help' => \$ShowHelp, 'maxchars=i' => \$MaxChars, @@ -115,6 +121,17 @@ }; # +# If password generation option was specified with the old --clear, +# warn the user and exit +# +$OldClear ne "" and do +{ + print STDERR "$Program: Option --clear is no longer present \n". + "please use --clearfrom and supply a file for it.\n"; + $Error = 1; +}; + +# # If password generation option was specified with --clearfrom, flag it. # @@ -134,10 +151,10 @@ "--chars --minchars --maxchars --count --string.\n"; $Error = 1; }; - $Crypt or do + $Crypt or $CryptMd5 or do { print STDERR "$Program: Option --clearfrom may not be specified ". - "without option --crypt.\n"; + "without option --crypt or --crypt-md5.\n"; $Error = 1; }; open CLEARFROM, "$Clear" or do @@ -149,6 +166,7 @@ $Clear =~ s/[\n]*$//; close CLEARFROM; $CryptMode = 4; + $CharFormat = length($Clear) + 3; }; # @@ -256,9 +274,9 @@ # If --crypt is not set or --cryptsalt is set, disallow this parameter. # - $Crypt or do + $Crypt or $CryptMd5 or do { - print STDERR "$Program: To use --repeatpass, --crypt must also be set.\n"; + print STDERR "$Program: To use --repeatpass, --crypt or --crypt-md5 must also be set.\n"; $Error = 1; }; $CryptSalt and do @@ -425,12 +443,12 @@ exit(0); # -# sub Help: Display help information on STDERR. +# sub Help: Display help information on STDOUT. # sub Help { - print STDERR + print "$Program v$Version, a utility to generate and/or encrypt passwords. Copyright (c) $Copyright by $Author. All rights are reserved by @@ -441,42 +459,51 @@ Format: $Program [option...] -For low (nonzero) values of --rerandom, tap the CONTROL key at random -intervals if the program seems to stall. The entropy base for /dev/random -is depleted easily. - Options are: --chars=N Generate passwords with exactly N characters (do not use with options --minchars and --maxchars). --clearfrom=FILE Use a clear password from FILE instead of generating passwords. - Requires the --crypt option; may not be used with options - --chars, --maxchars, --minchars, --count, --string, - --nocrypt. Trailing newlines are ignored, other - whitespace is not. + Requires the --crypt or --crypt-md5 option; may not be + used with options --chars, --maxchars, --minchars, + --count, --string, --nocrypt. Trailing newlines are + ignored, other whitespace is not. --count=N Produce a total of N passwords (the default is one). --crypt Produce encrypted passwords. +--crypt-md5 Produce encrypted passwords using the MD5 digest (hash) + algorithm. --cryptsalt=N Use crypt() salt N, a positive number <= 4096. If random seeds are desired, specify a zero value (the default). --help Ignore other operands and produce only this help display. ---maxchars=N Generate passwords with at most N characters (default=8). ---minchars=N Generate passwords with at least N characters (default=6). +--maxchars=N Generate passwords with at most N characters (default=10). +--minchars=N Generate passwords with at least N characters (default=8). --nocrypt Do not encrypt the generated password(s) (the default). --noverbose Display no labels on output (the default). --randomseed=N Use random number seed N, between 0 and 2^32 inclusive. A zero - value results in a real-random seed. + value results in a real-random seed. This option + generates predictable passwords, and should normally + be avoided. --rerandom=N Set the random seed value every N values used. Specify zero to use a single seed value (the default). Specify one to get true-random passwords, but plan on hitting the CONTROL key a lot while it's running. ;) ---repeatpass=N Use each password N times (4096 maximum, --crypt must be set - and --cryptsalt may not be set). +--repeatpass=N Use each password N times (4096 maximum, --crypt or + --crypt-md5 must be set and --cryptsalt may not be set). --string=STRING Use the characters in STRING to generate random passwords. --verbose Display labelling information on output. "; } # +# sub NumBits(N): Number of significant bits in N. +# + +sub NumBits +{ + return length(sprintf('%b', $_[0])); +} + +# # sub Random(A, B): Produce a random integer from A to B, inclusive. # @@ -492,7 +519,40 @@ { $RerandomNow = $RerandomCount; }; - my $RandomOutputVal=rand($_[1]-$_[0]+1); + my $RandomOutputVal; + if ($RandSeed) + { + $RandomOutputVal = rand($_[1]-$_[0]+1); + } + else + { + # Repeatedly generate n-bit random byte sequences (with n = + # number of significant bits in range) until we get + # something less than range. + my $range = $_[1]-$_[0]+1; + my $bits = NumBits($range); + my $bytes = ($bits - 1) / 8 + 1; + my $max = 1 << ($bytes * 8); + $max -= $max % $range; + while (1) + { + my $buf = $RNG->bytes($bytes); + my $val = 0; + for my $byte (unpack('C*', $buf)) + { + $val = ($val << 8) + $byte; + } + if ($val < $max) + { + # Using the modulus is OK here; we're + # working with a byte stream, so the + # low-order bits are no worse than any of + # the others. + $RandomOutputVal = $val % $range; + last; + } + } + } $RandomOutputVal=$RandomOutputVal+$_[0]; $RandomOutputVal =~ s/\..*$//; $RandomOutputVal; @@ -506,19 +566,14 @@ { my $i; my $SeedOutput = $RandSeed; - $SeedOutput or do + if ($SeedOutput) { - open(RANDOMSEED, "new(NonBlocking => 1); + } } # @@ -588,6 +643,82 @@ } # +# sub Md5Base64Char(A): Base-64-encode a character from an MD5 digest. +# + +sub Md5Base64Char +{ + my $map64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'; + my $char = shift; + $char = 0 if $char < 0; + $char = 63 if $char > 63; + substr($map64, $char, 1); +} + +# +# sub MakeMd5Salt(A, B): Generate a crypt salt string from a number from 0 +# through 4095. +# + +sub MakeMd5Salt +{ + my $md5 = Digest::MD5->new(); + $md5->add(time); + $md5->add($$); + $md5->add($_[0]); + $md5->add($_[1]); + my $digest = $md5->digest; + $digest = substr($digest, 0, 8); + my $salt; + for my $char (map { ord($_) & 077 } split //, $digest) + { + $salt .= Md5Base64Char($char); + } + $salt; +} + +# +# sub CryptMd5Password(A, B): Encrypt the password provided using the +# MD5 digest algorithm; keep a running list of codes used as long as B is +# true. +# + +sub CryptMd5Password +{ + my $password = $_[0]; + eval "use Crypt::PasswdMD5"; + if ($@) + { + print STDERR "$Program: Could not load the Crypt::PasswdMD5 library, cannot use --crypt-md5\n". + "This may be due to an invalid or incomplete Perl installation\n."; + exit 1; + }; + + my $ThisSeed = $SeedValue; + if ($ThisSeed) + { + $ThisSeed--; + } + else + { + $_[1] or do + { + %UsedSeed = (); + }; + $ThisSeed = Random(0, 4095); + do + { + $ThisSeed = Random(0, 4095); + } + until not exists $UsedSeed{$ThisSeed}; + $UsedSeed{$ThisSeed} = $ThisSeed; + } + + my $salt = MakeMd5Salt($password, $ThisSeed); + unix_md5_crypt($password, $salt); +} + +# # sub ProcessPassword(A): Process the password provided. # @@ -600,6 +731,7 @@ $Password = MakePassword(); $Crypt and $PaddedPass = sprintf "%-$CharFormat"."s", $Password; + $CryptMd5 and $PaddedPass = sprintf "%-$CharFormat"."s", $Password; $Verbose and do { $PassLabel="Password="; @@ -616,6 +748,12 @@ print "$PassLabel"."$PaddedPass"."$CryptLabel"."$CryptedPass\n"; $Verbose and $PaddedPass = $EmptyPassword; } + elsif ($CryptMd5) + { + $CryptedPass = CryptMd5Password($Password); + print "$PassLabel"."$PaddedPass"."$CryptLabel"."$CryptedPass\n"; + $Verbose and $PaddedPass = $EmptyPassword; + } else { print "$PassLabel"."$Password\n"; --- makepasswd-1.10.orig/makepasswd.1 +++ makepasswd-1.10/makepasswd.1 @@ -1,4 +1,4 @@ -.\" Copyright (C) 1997 Johnie Ingram (johnie@debian.org). +.\" Copyright (C) 1997-1998 Johnie Ingram (johnie@debian.org). .\" .\" This is free documentation; you can redistribute it and/or .\" modify it under the terms of the GNU General Public License as @@ -33,7 +33,7 @@ .I N ] [ -.B \--crypt | --nocrypt +.B \--crypt | --nocrypt | --crypt-md5 ] [ .B \--cryptsalt @@ -72,9 +72,9 @@ .SH DESCRIPTION .LP .B makepasswd -generates true random passwords by using the /dev/random feature of -Linux, with the emphasis on security over pronounceability. It can -also encrypt plaintext passwords given on the command line. +generates true random passwords using /dev/urandom, with the emphasis on +security over pronounceability. +It can also encrypt plaintext passwords given on the command line. .SH OPTIONS .TP .B --chars N @@ -83,8 +83,8 @@ .TP .B --clearfrom FILE Use password from FILE instead of generating passwords. Requires -the --crypt -option; may not be used with these options: --chars, --maxchars, --minchars, +the --crypt or the --crypt-md5 +options; may not be used with these options: --chars, --maxchars, --minchars, --count, --string, --nocrypt. Trailing newlines are removed but other white space is not. .TP @@ -94,6 +94,9 @@ .B --crypt Produce encrypted passwords. .TP +.B --crypt-md5 +Produce encrypted passwords using the MD5 digest (hash) algorithm. +.TP .B --cryptsalt N Use crypt() salt N, a positive number <= 4096. If random seeds are desired, specify a zero value (the default). @@ -102,10 +105,10 @@ Ignore other operands and produce only a help display. .TP .B --maxchars N -Generate passwords with at most N characters (default = 8). +Generate passwords with at most N characters (default = 10). .TP .B --minchars N -Generate passwords with at least N characters (default = 6). +Generate passwords with at least N characters (default = 8). .TP .B --nocrypt Do not encrypt the generated password(s) (the default). @@ -116,13 +119,17 @@ .B --randomseed N Use random number seed N, between 0 and 2^32 inclusive. A zero value results in a real-random seed. +This generates much less secure passwords than the default; not only does it +generate predictable passwords due to the fixed seed, but the range of +available seeds is 32 bits rather than the default of 256 bits, and cannot +be changed without breaking expectations of previous users of this option. +If possible, do not use this option. .TP .B --rerandom N Set the random seed value every N values used. Specify zero to use a single seed value (the default). Specify one to get true-random -passwords, but plan on hitting the CONTROL key a lot while it's -running. The Linux entropy device is quickly depleted and keystroke -intervals are one source of new randomness. +passwords, though note that doing this too frequently will deplete the +supply of entropy available in the kernel's entropy pool. .TP .B --repeatpass N Use each password N times (4096 maximum, --crypt must be set and @@ -142,9 +149,11 @@ Cooperative IRC network. It may potentially be of use in any situation where passwords must be secure and need not be memorized by humans. +.LP +Colin Watson modified it to use Bytes::Random::Secure. .SH COPYRIGHT .LP -Copyright (c) 1997 by lilo . All rights are +Copyright (c) 1997-1998 by lilo . All rights are reserved by the author. This program may be used under the terms of version 2 of the GNU Public License. .SH "SEE ALSO"