3 Network down, IP packets delivered via UPS. -- BOFH excuse #427
9 Networking is a complex and diverse area of computer science. This page
10 can only scratch the surface of some essential networking concepts,
11 aiming to convey enough background knowledge to understand more
12 specific and thorough articles on the subject matter and to encourage
13 the reader to explore the vast freely available literature. We cover
14 the four layers of the TCP/IP interconnection model in some detail
15 and look at a small subset of networking tools, including SSH. The
16 chapter concludes with a short overview of the Linux-specific Netlink
21 SECTION(«Network Layers»)
24 define(«nl_width», «260»)
25 define(«nl_height», «200»)
26 define(«nl_box_width», «100»)
27 define(«nl_text_offset», «110»)
28 define(«nl_box_height», «eval((nl_height() - 10) / 5)»)
29 define(«nl_layer_width», «eval(nl_box_width() / 4)»)
30 define(«nl_font_size», «15»)
31 dnl $1: layer (link/internet/transport/application)
32 dnl $2: box number (0-4), $3: row-span, $4: column-span, $5: color
37 ifelse(«$1», «link», «x="1"»)
38 ifelse(«$1», «internet», «x="eval(1 + nl_layer_width())"»)
39 ifelse(«$1», «transport», «x="eval(1 + nl_layer_width() * 2)"»)
40 ifelse(«$1», «application», «x="eval(1 + nl_layer_width() * 3)"»)
41 y="eval($2 * nl_box_height())"
42 height="eval($3 * nl_box_height())"
43 width="nl_layer_width()"
47 dnl $1: box number (see nl_box()), $2: text
51 y="eval($1 * nl_box_height() + nl_box_height() / 2)"
52 font-size="nl_font_size()"
59 width="nl_width()" height="nl_height()"
61 xmlns="http://www.w3.org/2000/svg"
62 xmlns:xlink="http://www.w3.org/1999/xlink"
64 nl_box(«link», «0», «1», «#a22»)
65 nl_box(«link», «1», «3», «#7e5»)
66 nl_box(«link», «4», «1», «blue»)
67 nl_box(«internet», «1», «1», «yellow»)
68 nl_box(«internet», «2», «2», «#7e5»)
69 nl_box(«transport», «2», «1», «orange»)
70 nl_box(«transport», «3», «1», «#7e5»)
71 nl_box(«application», «3», «1», «#7e5»)
72 nl_text(«0», «Frame Header»)
73 nl_text(«1», «IP Header»)
74 nl_text(«2», «TCP/UDP Header»)
76 nl_text(«4», «Frame Footer»)
80 <p> The <em> Open Systems Interconnection </em> (OSI) model describes
81 network communication by subdividing the data flow into <em>
82 abstraction layers</em>. This model was published as an ISO standard
83 in 1984 and comprises seven independent layers. A similar model with
84 only four layers, known as the <em> TCP/IP interconnection model</em>,
85 was proposed in RFC 1122 (1989). The TCP/IP model does not consider
86 physical specifications, so it has no counterpart to the <em> physical
87 layer </em> of the OSI model. Moreover, the three top layers in the
88 OSI model are not distinguished in the TCP/IP model. </p>
90 <p> The four layers of the TCP/IP model (<em>link, internet,
91 transport</em>, and <em> application</em>) are illustrated in the
92 diagram on the left. The link layer receives the full ethernet frame
93 (left column). It reads and interprets the frame header (red) and
94 footer (blue), and regards the remaining part as data (green), to be
95 passed uninterpreted to the next layer. The internet layer (second
96 column) expects an IP packet and interprets the first part of the data
97 as the IP header (yellow). It hands off the rest as a TCP/UDP packet to
98 the transport layer (third column) which in turn reads and strips off
99 its header (orange). The application layer only sees the green part in
100 the fourth column. Each layer is discussed in a dedicated section. </p>
105 <li> RFC is short for <em> Request for Comments</em>. Make yourself
106 familiar with this concept. </li>
108 <li> Search the web for "RFC 822" to get an idea how an RFC looks
111 <li> Discuss the pros and cons of many abtraction layers. </li>
114 SECTION(«Link Layer»)
116 <p> The local network connection of a host is called its <em> link</em>.
117 The <em> link layer </em> is responsible for transmitting packets
118 between two hosts on the same link, that is, between directly connected
119 nodes. The link layer includes the protocols which maintain link states
120 such as the <em> Address Resolution Protocol </em> (ARP). Several
121 <em> link types </em> exist, the ubiquitous <em> ethernet </em> being
122 the only one to be discussed here. For ethernet links, the protocol
123 is specified in terms of the <em> media access control </em> (MAC)
124 addresses of ethernet frames. <p>
126 SUBSECTION(«Ethernet Bridging»)
128 <p> An <em> ethernet bridge </em> connects two or more networks by relaying
129 ethernet frames between the participating devices. This is described
130 in an official standard, the first revision of which was published in
131 1990. This standard can be implemented within a dedicated hardware
132 device, for example a <em> network switch</em>, or in software as
133 part of the operating system. Many soft- and hardware implementations
134 exist, which are compatible to each other as they all implement the
135 same protocol. Since ethernet bridges operate on the link layer, they
136 are transparent to higher level protocols like IP. </p>
138 <p> At the core of each bridge implementation there is the <em> forwarding
139 database </em> whose entries are indexed by the MAC addresses that have
140 recently been seen. Each time the bridge receives an ethernet frame,
141 the destination MAC address is looked up in the database to determine
142 the device to which the frame should be relayed. If no entry exists,
143 the frame is sent to <em> all </em> devices except the one it came
144 from, with the expectation that all devices but one will ignore the
145 frame. This is called <em> flooding</em>. From the source address
146 of the (single) reply a new database entry is created. This prevents
147 further flooding. Entries are removed from the database by aging: If
148 no frames have been received from a MAC address for the duration of a
149 time interval called <em> aging time</em>, the entry is removed from
152 <p> The Linux ethernet bridge implementation dates back to 1999. Two
153 different tools are available to create and configure bridges: <code>
154 brctl(8) </code> and <code> bridge(8)</code>. The exercises of this
155 section aim to get the reader started with both tools. </p>
157 SUBSECTION(«Virtual Ethernet Interfaces»)
159 <p> A bridge can accommodate physical devices as well as virtual
160 devices. On Linux systems the common approach to equip virtual machines
161 with network interfaces employs the <em>virtual ethernet</em> device
162 driver, veth. This driver provides virtual pairs of devices where
163 each pair represents an ethernet tunnel. Ethernet frames received
164 by one end appear on its peer. To set up the network interface for
165 a virtual machine, one end of the pair is added to a bridge on the
166 host system while the other end represents the ethernet device of
167 the virtual machine. </p>
171 <li> Determine the MAC address of the first ethernet device of your
174 <li> How many times faster has ethernet become since its first protocol
175 version that supported a transfer rate of 2.94 Mbit/s in 1973? </li>
177 <li> Explain why bridges can not be detected by tools like <code>
178 traceroute(1) </code> or <code> tracepath(8)</code>. </li>
180 <li> Hardware ethernet bridges are called switches because they
181 relay ethernet frames by using a technique called <em> packet
182 switching</em>. Define this term. </li>
184 <li> The <code> arp(8) </code> command prints the kernel's network
185 neighbour cache. Explain the purpose of this cache and the difference
186 to the forwarding database of an ethernet bridge. </li>
188 <li> Network devices can be set into <em> promiscuous
189 mode</em>. Explain what this means, why interfaces which belong
190 to an ethernet bridge need to be set into promiscuous mode,
191 and the consequences of this fact. </li>
193 <li> On your local computer, shut down the <code> eth0 </code>
194 interface, create a bridge and add <code> eth0 </code> to the bridge.
195 Then configure the bridge device in the same way the physical interface
196 was configured before. Run <code>brctl showmacs </code> to see MAC
197 addresses and the aging timer. </li>
199 <li> Create a virtual ethernet pair by running <code> ip link add v1
200 type veth peer name v2</code> and bring up the two interfaces with
201 <code> ip link set up v1 </code> and similar for <code> v2</code>. Add
202 the <code> v1 </code> end to the bridge. Configure an IP address on
203 the <code> v2 </code> end of the pair (<code>ip addr add 192.168.42.42
204 dev v2</code>). Add an entry for the IP routing table with <code>
205 ip route add 192.168.42.42/32 dev v2</code>. Start the <code> nc(1)
206 </code> tool in listening mode and send IP traffic through the bridge
207 by starting <code> nc(1) </code> a second time to connect to <code>
208 192.168.42.42</code>. </li>
215 <li> Recall how the <em> spanning tree algorithm</em> works. Explain
216 how the spanning tree algorithm is employed in the <em> spanning
217 tree protocol </em> (STP). Name two reasons for activating STP in a
220 <li> The <em> rapid spanning tree protocol </em> (RSTP) is the
221 successor of the traditional STP. Explain the difference between the
224 <li> In each bridged network, there is one bridge which
225 plays a special role: the so-called <em> root bridge</em>.
226 Explain the purpose of the root bridge and how it is determined
227 among the bridges of the network. </li>
229 <li> Linux offers two different tools to configure ethernet bridges:
230 <code> brctl(8) </code> and <code> bridge(8)</code>. Compare the
231 feature sets of these tools. </li>
237 SECTION(«Internet Layer»)
239 <p> These days the term "internet" has acquired a rather broad meaning
240 in that it refers to all kind of network services. However, in
241 the context of the TCP/IP interconnection model, the <em> internet
242 layer </em> is named aptly because its purpose is to send packets
243 across different networks, thereby enabling inter-networking. More
244 precisely, packets are <em> routed </em> from the source network to
245 the destination network, where both networks are identified by <em>
246 IP interface addresses</em>. Although both the prevalent IPv4 and the
247 next-generation IPv6 variant are being deployed actively worldwide,
248 we shall only discuss IPv4 here. </p>
250 <p> The first part of each IP packet is the <em> IP header</em>, which is
251 usually 20 byte long. Besides the source and destination addresses,
252 it contains an 8 bit protocol number which refers to the data portion
255 <p> IP only provides an <em> unreliable </em> datagram transmission
256 facility, which means that packets may be lost, arrive multiple times,
257 or out of order. Moreover, packets can be fragmented or defragmented. </p>
259 SUBSECTION(«Network Address Translation (NAT)»)
261 <p> IP addresses are a global resource, so each address must only be
262 assigned to at most one device. The <em>Internet Assigned Numbers
263 Authority</em> (IANA) coordinates who is entitled to use any given
264 range of IPv4 addresses. However, a number IP ranges, for example the
265 ranges 10.0.0.0-10.255.255.255 and 192.168.0.0-192.168.255.255, are
266 reserved for local use only so that these addresses can be assigned
267 in multiple local networks without interfering with each other. </p>
269 <p> In a network which contains only local addresses, the devices
270 can communicate with each other, but they will not be able to access
271 public world-wide services. To illustrate how NAT works around this
272 restriction, consider a desktop computer in a local network which
273 intents to perform a web search by contacting a public web server
274 which is <em>not</em> a member of the local network. </p>
276 <p> The desktop is configured to route packets which are not
277 destined for the local network through a dedicated machine, called
278 the <em>router</em>. The router has two IP addresses: one address
279 in the local network and a public NAT address. As traffic passes
280 from the desktop through the router to the web server, the router
281 alters the source address of each IP packet (the local address of the
282 desktop) to the public NAT address of the router, and keeps track of
283 all thusly forwarded connections. When a reply arrives at the router,
284 it uses the connection tracking data stored during the outbound phase
285 to determine the address in the local network to which to forward the
286 reply. This time the router alters the <em>destination</em> address
287 of the packet to the local address of the desktop and forwards the
288 packet to the desktop via the local network. </p>
290 <p> NAT can be seen as providing a kind of privacy mechanism because
291 machines on the internet cannot monitor which hosts are sending and
292 receiving traffic. They only see the NAT address. NAT has also
293 downsides though: Pinpointing the source of a problem becomes harder,
294 and encryption becomes more difficult. For example you can not encrypt
295 the IP address because the router must be able to change it. </p>
300 <li> How many different IPv4 addresses exist? </li>
302 <li> What is the difference between the <em> maximum transmission
303 unit </em> (MTU) and the <em> path MTU</em>? </li>
305 <li> Describe the purpose of the <em> Internet Control Message Protocol
306 </em> (ICMP) and its relationship to IP. </li>
308 <li> Byte 9 of the header of an IP packet is the so-called <em>
309 time to live </em> (TTL) field, which is initially set to 64 by
310 the sender. Explain the purpose of this field. </li>
312 <li> Explain the connection between the TTL and the <em> Internet
313 Control Message Protocol </em> (ICMP). </li>
315 <li> What is a netmask in an IPv4 network? What is the purpose of the
316 netmask? Why is the network part of an IP address also called <em>
317 routing prefix</em>? </li>
319 <li> On any host, run <code> ifconfig </code> and <code> ip addr
320 show</code>. Both commands print the netmask of each network, but
321 in different ways. Explain which part of the output of the <code>
322 ip </code> command contains the netmask. </li>
327 Discuss the security implications of network services which are based
328 on MAC addresses or IP addresses alone.
330 Both the IP address and the MAC address are trivial to fake. So they
331 should never be used to authenticate a user or a device on a network
332 to which potential attackers have physical access, i.e., untrusted
333 devices can be connected.
337 Run <code> tracepath wikipedia.org</code>. Explain how this command
338 works and how it can be used to identify networking problems.
341 SECTION(«Transport Layer»)
343 <p> The protocols of the transport layer provide message transfer
344 services which are on one hand independent of the underlying network
345 type, and on the other hand independent of the application. Different
346 network services running on the same host are distinguished by
347 <em>port numbers</em>, which are 16 bit identifiers. Several well
348 known port numbers are are associated with specific applications.
349 The two dominant transport layer protocols on top of IP, TCP and UDP,
350 are discussed in the following subsections. </p>
352 SUBSECTION(«The User Datagram Protocol»)
354 <p> The <em> User Datagram Protocol </em> (UDP) is the simplest
355 transport-layer protocol, built as a thin layer on top of IP. For this
356 reason, it offers only the same best-effort service as IP itself. For
357 example, there is no detection of duplicate or reordered packets,
358 no protection against packet loss or network congestion. However,
359 UDP generates checksums to catch transmission errors. Being a
360 connectionless protocol, only minimal internal state about the
361 connection is maintained. This makes UDP suitable for applications
362 which need to avoid the overhead of setting up a TCP connection, or
363 in situations where on-time arrival is more important than reliability. </p>
365 SUBSECTION(«The Transmission Control Protocol»)
367 <p> The <em> Transmission Control Protocol </em> (TCP) provides reliable,
368 ordered delivery of a stream and a classic window-based congestion
369 control. In contrast to UDP, TCP provides a stream which is independent
370 of any packet boundaries. TCP is used extensively by many applications.
371 Besides HTTP (the Hypertext Transfer Protocol), also FTP (the File
372 Transfer protocol), SMTP (Simple Mail Transfer Protocol), SSH (Secure
373 Shell) all sit on top of TCP. </p>
378 <li> Check <code> /etc/services </code> and find the TCP port
379 numbers for http (web), ssh and smtp (email).
381 <li> Run <code> ls /proc/sys/net/ipv4/udp* </code> and <code> ls
382 /proc/sys/net/ipv4/tcp* </code> to see the available UDP and TCP
383 parameter settings, and to compare the complexity of UDP and TCP. </li>
385 <li> Run <code> netstat -pant </code> to see active TCP sockets. </li>
387 <li> Run <code> nmap localhost </code> to determine the listening
390 <li> Run netcat in TCP listening mode: <code> nc -l $((19853 +
391 UID)))</code>. Invite your neighbour to chat with you by connecting
392 to your netcat process. </li>
394 <li> Read section 3.1 of RFC 793 (Transmission Control Protocol,
395 1981) to get an idea of the format of a TCP header, particularly the
396 control bits called ACK, RST, SYN and FIN. </li>
398 <li> The name "SYN" for one of the control bits of the TCP header
399 stands for <em> synchronize</em>. What is being synchronized when
400 this bit is set? And why does it need to be synchronous in the first
403 <li> Make yourself familiar with the 3-way TCP handshake also described
404 in RFC 793. Why is it called a 3-way handshake? </li>
406 <li> Run <code> ip tcpmetrics </code> to see recent TCP peers and
407 discuss the output. </li>
413 <li> UDP is said to be <em> datagram-oriented</em> while TCP is <em>
414 stream-oriented</em>. Define both terms and explain the implications
415 for application writers. </li>
417 <li> Explain how TCP achieves its goal of controlling the transmission
420 <li> Explain how the "SYN flooding" denial-of-service attack works and
421 how SYN cookies mitigate this attack. </li>
423 <li> Explain the idea behind TFO (TCP fast open). </li>
425 <li> In contrast to TCP, UDP is a <em> connectionless </em> protocol. In
426 particular, there is no handshake necessary to establish a
427 connection. Describe the pros and cons of this fact. </li>
429 <li> Explain, in no more than two sentences, the idea behind a port
432 <li> What's a half-open TCP connection? What's a half-open TCP
433 port scan? Explain why half-open TCP port scans are reasonably
436 <li> Express your opinion on whether performing an unsolicited TCP
437 port scan should be considered a criminal act. </li>
441 SECTION(«Application Layer»)
443 <p> Application layer protocols define how the server side of
444 a network service communicates with clients that connect to the
445 server by connecting a specific TCP or UDP port. Services are often
446 associcated with port numbers which can be registred at the IANA. </p>
448 <p> Examples for application layer protocols which are employed on top of
449 TCP are the <em> Hypertext Transfer Protocol </em> (HTTP, port 80)
450 and the <em> Secure Shell Protocol </em> (SSH, port 22). On top of
451 UDP sit the <em> Domain Name System </em> (DNS, port 53), the <em>
452 Dynamic Host Configuration Protocol </em> (DHCP, ports 67 and 68)
453 and the <em> Network Time Protocol </em> (NTP, port 123). </p>
455 <p> We won't discuss any specific application layer protocols here. Instead,
456 we look at some client programs. </p>
458 SUBSECTION(«The Name Service Switch»)
460 <p> Every Unix system needs a couple of (usually small) system databases
461 for proper operation. Besides the user database, there are other
462 databases for Unix group membership, the known hosts, network
463 protocols, and more. Traditionally, there was only a single source for
464 this information in the form of a configuration file per database, for
465 example <code> /etc/hosts</code> for the hosts database. The format of
466 each database file is described in the POSIX standard and in section
467 5 of the user manuals. This approach works well if the databases
468 and the number of hosts which need to share the same databases are
469 small. Larger organizations, however, have a need to maintain this
470 information centrally by means of some network service. The <em>
471 Lightweight Directory Access Protocol </em> (LDAP) and the <em>
472 Domain Name System </em> (DNS) are popular choices for the user
473 and the host/domain databases. Often the entries of the centralized
474 network database have to be merged with the entries of the local file
475 in <code> /etc</code>. This calls for a flexible method which lets the
476 administrator specify the sources of information and the search order.
477 Sun Microsystems came up with a clean solution to this problem named
478 <em> Name Service Switch </em> (NSS) for the Solaris operating system.
479 This solution was ported to most other Unix operating systems. The
480 implementation used on GNU/Linux systems is part of the <em> GNU
481 C Library </em> (glibc). The central configuration file for NSS is
482 <code> /etc/nsswitch.conf</code>. </p>
484 SUBSECTION(«Advanced SSH Features»)
486 <p> SSH, the <em> secure shell</em>, is a popular client/server software
487 package for logging into a remote machine. The name is a little
488 misleading, though. For one, SSH is not a shell; it merely provides
489 a method to <em> run </em> a shell. Second, it can do much more than
490 just log in and start the shell. It features a secure encrypted
491 communication channel between two hosts, and this channel can be
492 utilized in interesting ways on both ends. In the exercises we look
493 at TCP port forwarding, some useful configuration options, and public
494 key authorization. </p>
500 <li> Inspect <code> /etc/resolv.conf </code> to get the IP address
501 of your nameserver(s). Then run <code> dig @$IP $DOMAIN MX </code>
502 where <code> $IP </code> is the nameserver IP address, and <code>
503 $DOMAIN </code> is the domain of your email adress, e.g. <code>
504 tuebingen,mpg.de</code>. Determine the hostname of the mail server
505 from the output and run <code> nc $MAILHOST 25 </code> to send a mail
506 to yourself. Hint: <code> HELO $MAILHOST</code>, <code> mail from:
507 <$LOGNAME@$DOMAIN></code>, <code> rcpt to: <$LOGNAME@DOMAIN></code>,
508 <code> data</code>. </li>
510 <li> Edit <code> /etc/passswd</code>, <code> /etc/shadow</code>,
511 and <code> /etc/group </code> to manually create a user account.
512 Use the <a href="«#»cryptout.c">cryptout</a> program below to
513 generate the second field of <code> /etc/shadow </code> containing
514 the encrypted password. </li>
516 <li> Understand the <code> hosts </code> line in <code>
517 /etc/nsswitch.conf</code>. </li>
519 <li> Does <code> host $HOSTNAME </code> always print the same IPv4
520 address as <code> ping $HOSTNAME</code>? </li>
522 <li> Run <code> nc localhost 22 </code> to determine the SSH server
525 <li> Forward the TCP port 12345 of your local machine to an
526 internal server using ssh's <code> -L </code> option for local port
527 forwarding. Check that you can log in with <code> ssh -p 12345
528 localhost</code>. </li>
530 <li> Search the <code>ssh_config(5)</code> man page for <code>
531 NoHostAuthenticationForLocalhost </code> and ponder if it is a good
532 idea to set this to <code> yes</code>. </li>
534 <li> Add <code> Host </code> and <code> Hostname </code> entries
535 to your ssh config file so that you can log in with <code> ssh
536 hostname</code>, even though <code> hostname </code> does not resolve
537 on your local network. </li>
539 <li> Create an ssh key pair and add the public part so that you can
540 log in without specifying a password. Discuss the security implications
543 <li> In an ssh session, type <code> ~C </code> to open the ssh command
544 prompt. Use a suitable <code> -L </code> command to add a local port
545 forward to the existing connection. Type <code> ~? </code> to see
546 the available escape sequences. </li>
548 <li> Add the lines <code> Host *.eb.local </code> and <code> ProxyJump
549 cgw.tuebingen.mpg.de </code> to your ssh config file. Then type <code>
550 ssh olt.eb.local</code>. Check <code> ssh(1) </code> to learn how
556 Explain the difference between local and remote port forwarding. Give
557 a typical example for either type of forwarding.
560 SECTION(«The Netlink Messaging System»)
562 <p> The various layers and protocols discussed earlier in this chapter
563 dealt with the communication between hosts which are connected by
564 a network. The Linux-specific <em>Netlink Interface</em>, however,
565 does not fit into this picture because it is a messaging system
566 for passing network-related information between the kernel and a
567 user space program, and vice-versa. Among other uses, tools like
568 <code>ip(8)</code> and <code>ifconfig(8)</code> employ Netlink
569 to configure network devices. Netlink is implemented on top of the
570 socket infrastructure, so the communication link between a user space
571 program and the kernel is estabished by means of the usual system calls
572 <code>socket(2)</code>, <code>bind(2)</code>, <code>connect(2)</code>,
573 and messages are transferred by calling <code>sendmsg(2)</code>
574 and <code>recvmsg(2)</code>. </p>
576 <p> There are several <em>netlink families</em> which select the
577 kernel subsystem to communicate with. We shall only be concerned
578 with the <code>NETLINK_ROUTE</code> family, which is used to
579 modify network routes, IP addresses, and more. The details of
580 <code>NETLINK_ROUTE</code> are described in <code>rtnetlink(7)</code>
581 while <code>netlink(7)</code> covers the general interface and the
582 currently assigned families. </p>
584 <p> A Netlink message starts with a 16 byte header as defined by
585 <code>struct nlmsghdr</code>. To report errors to userspace, Netlink
586 provides a message type that encapsulates an error header defined
587 by <code>struct nlmsgerr</code>. Both structures are declared in
588 in <code>include/linux/netlink.h</code>. Full Netlink messsages,
589 including the Netlink header are transferred. Therefore the user space
590 program has to implement a parser for both regular Netlink messages
591 and Netlink error messages, as well as a primitive for setting up
592 properly formatted Netlink messages to be sent to the kernel. Several
593 user space libraries aim to help the programmer with this repetetive
594 and error-prone task, the <em>minimalistic Netlink library</em>
595 (libmnl) being the most popular one. </p>
599 SUBSECTION(«cryptout.c»)
603 #include <stdlib.h>
604 #include <crypt.h>
605 #include <stdio.h>
606 #include <sys/random.h>
608 static const char set[] =
609 "abcdefghijklmnopqrstuvwxyz"
610 "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
613 int main(int argc, char **argv)
615 unsigned char rnd[2], salt[2], *result;
619 if (getrandom(rnd, 2, 0) < 0)
621 salt[0] = set[rnd[0] & 63];
622 salt[1] = set[rnd[1] & 63];
623 result = crypt(argv[1], salt);
626 printf("%s\n", result);