Salt length constraints

[jfoley]

By working with mkpasswd on ubuntu 12.04, I noticed that it doesn't tolerate salt lengths of beyond certain constraints. For example, DES only takes 2-byte salts, and SHA512 can use salts between 8 and 16 bytes in length.

Hence when UnixCrypt is used to generate a password with a salt beyond those limits, the resulting hash is something that is incompatible with Unix password hashes used for login purposes (users, etc).

Other implementations of sha crypt also seem to constrain the number of bytes used in the salt: ftp://ftp.arlut.utexas.edu/pub/java_hashes/SHA-crypt.txt http://www.ic.unicamp.br/~islene/2s2008-mo806/libc/crypt/sha512-crypt.c

The suggestion for this gem is to also bring up this issue either via truncation of salts(like the linked implementations above) or an exception (like mkpasswd). My personal preference would be an exception.

/cc @sergueif

[mogest]

Great suggestion. I've implemented a maximum, and taken the opportunity to do a bit of housekeeping on the code. I haven't implemented a minimum, as I couldn't find anywhere in the spec that said there was one. Do you have any information on this?

[jfoley]

mkpasswd (from the ubuntu whois package) seems to impose a minimum salt length on certain algorithms (8 bytes for sha-512, 2 bytes for the DES, etc). From googling around, it seems to be a very popular implementation, but I'm not sure if the ultimate spec for the algorithm itself (which is probably just the source code for crypt on each linux platform) has such a restriction. Perhaps there is some RFC out there that specifies the behavior?