topic Re: password validation in Operating System - HP-UX

password validation

KSB_1 — Tue, 27 Apr 2004 16:22:48 GMT

I need to validate a unix system user in a script, against the userid and password pair he/she enters when the script interactively asks but I am not sure how to encrypt the clear password to make the comparison to the encrypted version in the trusted system user database. Script will run with uid-0 privileges, so accessing the file containing the password will not be a problem. But I could not figure out how to encrypt the password.

Any help is greatly appreciated

Re: password validation

Hazem Mahmoud_3 — Tue, 27 Apr 2004 16:45:11 GMT

You can use the C function, crypt() for this. If you have the hp-ux 11i security book by Chris Wong, it goes into this in Chapter 2.

-Hazem

Re: password validation

KSB_1 — Tue, 27 Apr 2004 16:58:54 GMT

unfortuantely I do not have this book and likelihood that I can lay my hands on it is slim to none in the near future.

is there any other way ?

Re: password validation

A. Clay Stephenson — Tue, 27 Apr 2004 17:05:08 GMT

Does a hog like slop?

If you wantr to do this in a scripting language the answer is Perl. Note that the UNIX crypt function is actually a hash so that the process is not reversible. The idea is that you pass in the plaintext passwd as the first argument to crypt and the first two characters (the salt) of the stored passwd hash to the crypt function to produce a new hash. If this hash is identical to the original hash, the passwd's match. Perl's crypt function automatically ignore anything pass the first 2 characters for the salt argument. Man perlfunc and look at the crypt function for more details.

Attached is a 3 minute example. It returns 0 for ok and non-zero for anything else.

pwtest.pl
STAT=${?}
if [[ ${STAT} -eq 0 ]]
then
echo "All ok"
else
echo "You be bad"
fi

Re: password validation

Juergen Tappe — Tue, 27 Apr 2004 17:16:04 GMT

The Script is running with SUID Bit to root - correct ?

In this case here a shell script part, which could solve it:

USER=$(who am i) # should return the real logged in user / not sure if you need to i.e. cut -c1-8
su bin -c "su $user -c \"true\"" ; OK=$?
# as bin the user HAS to enter the password
if [ "$OK" != 0 ]
then
# su failed
echo "Errormessage"
exit 1
fi

# rest of your script

$(logname) can work instead to $(who am i) as well.

Re: password validation

KSB_1 — Tue, 27 Apr 2004 17:35:29 GMT

Thank you.
pwtest.pl did the trick

Re: password validation

doug hosking — Wed, 28 Apr 2004 02:09:32 GMT

Be careful. 'trusted system user database' is a key here. In trusted systems, passwords can be much longer than the usual 8 characters. See the differences between crypt() and bigcrypt().

Re: password validation

KSB_1 — Thu, 29 Apr 2004 13:51:27 GMT

Well, more problems encountered while I was trying to incorporate this into my general solution and I think this is mainly due to my perl instance but not being proficient (read as novice) in perl, I am not sure where to look. Here is the problem :

pwtest.pl is in /usr/contrib/bin as follows :

[/home/mortaluser]$ ll /usr/contrib/bin/pwtest.pl
-rws--x--x 1 root sys 498 Apr 28 11:27 /usr/contrib/bin/pwtest.pl
[/home/mortaluser]$ /usr/contrib/bin/pwtest.pl
YOU HAVEN'T DISABLED SET-ID SCRIPTS IN THE KERNEL YET!
FIX YOUR KERNEL, PUT A C WRAPPER AROUND THIS SCRIPT, OR USE -u AND UNDUMP!

I hopelessly tried to put a shell script like the one below, placed in the same /usr/contrib/bin directory:
[/home/mortaluser]$ cat /usr/contrib/bin/pwtest_wrapper.sh
#!/usr/bin/ksh
#file: pwtest_wrapper.sh

/usr/contrib/bin/pwtest.pl
result=`echo $?`
echo " "

if [ $result -eq 0 ]
then
echo "user validated OK!"
else
echo "user credentials NO GOOD!"
fi

[/home/mortaluser]$ ll /usr/contrib/bin/pwtest_wrapper.sh
-rws--x--x 1 root sys 163 Apr 29 08:38 /usr/contrib/bin/pwtest_wrapper.sh
[/home/mortaluser]$ /usr/contrib/bin/pwtest_wrapper.sh
YOU HAVEN'T DISABLED SET-ID SCRIPTS IN THE KERNEL YET!
FIX YOUR KERNEL, PUT A C WRAPPER AROUND THIS SCRIPT, OR USE -u AND UNDUMP!

I have no clue what this means or how to work around it. Again any help is greatly appreciated in advance.

Also, I will not be able to recompile perl and wreak havoc on already running applications dependent on perl as a side note.

Re: password validation

KSB_1 — Thu, 29 Apr 2004 13:52:58 GMT

before I forget, a kernel change can happen on the day hell freezes over (or at least it seems that far away from today). So whatever bit was not set in kernel and sounds like it can fix my problem is not likely to happen anytime soon.

Re: password validation

A. Clay Stephenson — Thu, 29 Apr 2004 14:00:04 GMT

The "kernel" here does not refer to the system kernel but rather the "kernel" Perl (executable) code. Your mistake was trying to make a Perl script a setuid script. Perl goes to great lengths to not let this work. Bear in mind, setuid for a shell script only has meaning to the shell executable because a shell script is not an executable. Because the passwd file must be readable by all, if all you are trying to do is verify a user then this will work. Get rid of the setuid bit.

I really wish that this feature was not supported in the Shell because it is a glaring security hole.

Re: password validation

doug hosking — Thu, 29 Apr 2004 14:14:40 GMT

Clay, newer HP-UX releases have a kernel tunable called 'secure_sid_scripts' that can be used to control whether setuid scripts are supported. As you note they can be a large security hole. Unfortunately I don't think there has been a PA-RISC release with this but it's in 11.22 and 11.23 and should be in the next version that supports PA-RISC.

Re: password validation

A. Clay Stephenson — Thu, 29 Apr 2004 14:21:03 GMT

Yes, I'm well aware of that; it's just that setuid shell scripts were state-of-the-art stupid from the get-go --- they should have never been allowed. Setuid and setgid programs definitely have their place; that place just shouldn't include scripting languages.