topic Re: modprpw - with SUPPLIED password in Operating System - HP-UX

modprpw - with SUPPLIED password

Mike_316 — Thu, 19 Dec 2002 16:34:41 GMT

Hey Gang,

I am trying to find a way (anyway really) to automatically change user account passwords to a specific password.

We have been using "modprpw -x" to expire an accounts password and assign a new RANDOM password. Ideally, I would love to find a way to use "modprpw" to change the password, however have the password changed to a SUPPLIED password.

I am willing to change and re-compile c code if necessary (I.E. encrypt.c, or use rsa.h, or whatever.)

It WILL NOT work to have the password changed to random and the user change the password when he/she logs in. These are accounts used by multiple people and (thus the rub) they are NOT allowed to change it (which is why we need to supply a password and have it automatically changed.)

There are a number of accounts, so changing the password manually would be a poor solution.

HELP! and thanks as always!

Mike

Re: modprpw - with SUPPLIED password

Paul Sperry — Thu, 19 Dec 2002 16:58:03 GMT

cat userinfo |while read line
do
USER=$(echo $line|awk '{FS=":";print $1}')
PASS=$(echo $line|awk '{FS=":";print $2}')
/usr/sam/lbin/usermod.sam -p`echo "$PASS"` $USER
done

userinfo file would look like:
user1:password1
user2:password2
.
.
.

Re: modprpw - with SUPPLIED password

Mike_316 — Thu, 19 Dec 2002 19:16:33 GMT

Hey!

Thanks for the info. Running into a snag however. We are using RSA on this box. Therefore, when I run the "/usr/sam/lbin/usermod.sam -p" command, it DOES change the password in the "/tcb/files/auth//" file...however the account cannot log in.

What appears to be happening is, when I use the "/usr/sam/lbin/usermod.sam -p" command, it appears to enter whatever I give it as the password parameter into the "/tcb/files/auth//" file verbatim...however if I use the "passwd " command (with the same password) and then check the "/tcb/files/auth//" file, it has what appears to be the encrypted version of the password entered there.

I am thinking I need to encrypt the password (according to the requirements of RSA and HPUX 11) and then offer the encrypted version of the password to the "/usr/sam/lbin/usermod.sam -p" command.

Does anyone know how to do this??

Thanks!

Mike

Re: modprpw - with SUPPLIED password

Rajeev Shukla — Thu, 19 Dec 2002 23:18:26 GMT

Yes mike when you use /usr/sam/lbin/usermod.sam -p username
It puts the same passwd(without encryption) into /tcb/files/auth/...username.
To get rid of this use a c program and by using crypt library you can encrypt the password and then use that in conjunction with usermod.sam.
It will definately work.
Let me know if you want that C program...I have written one.

Cheers
Rajeev

Re: modprpw - with SUPPLIED password

Mike_316 — Thu, 19 Dec 2002 23:51:48 GMT

Hey Rajeev,

Thanks for the confirmation! I woudl DEFINITELY like that C program. I have been looking all over for one, and cannot find one which will do the job.

Can you just list the code here, on the forum? I should be able to cut, paste and can compile it on my machine.

Thanks! I greatly appreciate it!!
Mike

Re: modprpw - with SUPPLIED password

Rajeev Shukla — Fri, 20 Dec 2002 00:06:46 GMT

Yes mike,

#include
#include
#include
char *pass;
char *s = "JQ";
char *p = "hello123"; /* The password to be set */
main()
{
/* p = getpass(); Uncomment this line if you want password to be asked */
pass = crypt(p,s);
printf("%s\n", pass);
}

This is the program when you compile it and run it gives you an encrypted password which you can either paste in /tcb...or you can use /usr/sam/lbin/usermod.sam -p username.

Note this sets the password to "hello123" but if you want to provide the password uncomment the "getpass()" line. and when u run the program it will ask you to privide password which is not echoed and then after u press enter it give you the encrypted password.

Let me know how it goes.

Rajeev

Re: modprpw - with SUPPLIED password

Mike_316 — Fri, 20 Dec 2002 00:16:14 GMT

Thanks Rajeev !!

It compiled easily. I do have one additional question, not really being a C programmer. How would I change the code to allow the unencrypted password to be passed to the compiled encryption program.

Basically, I will be writing a fully automated script which will pull a non-encrypted password out of a file, pass it to the encryption program, take the encrypted return and change the password for the account using the usermod.sam command.

Thanks again! This has been a lifesaver!

Mike

Re: modprpw - with SUPPLIED password

Mike_316 — Fri, 20 Dec 2002 00:23:56 GMT

P.S. When I uncomment the getpass line I get a "too few arguments for ." error. ???

Like I said, not really a C programmer.

Thanks!

Mike

Re: modprpw - with SUPPLIED password

Bill Hassell — Fri, 20 Dec 2002 01:25:29 GMT

Here's a simple C program that uses the command line for input and produces the encrypted password with a random seed (first 2 chars):

#include
#include

/* 1st param is the desired password */
/* A random seed (2 chars) will be */
/* automatically chosen. */
/* For good passwords: */
/* Use random chars, mixed apha- */
/* numerics and MiXeD CaSe for */
/* better protection. */

main(argc, argv)
int argc;
char *argv[];
{

char salt[3];
char *EncryptedPasswd;
int CheckRand;
int Fixup;
int SeedChar;

printf("\nUsage: pw \n\n");

/* Generate a random starting point for seed charcaters */

srand(time(NULL));
for ( SeedChar = 0; SeedChar <= 1; SeedChar++) {
CheckRand = 46 + rand() % 76; /* random number from 46 to 122 */
Fixup = 7 + rand() % 13; /* random number from 7 to 20 */
salt[SeedChar] = toascii(((CheckRand >= 58 && CheckRand <= 64) ||
(CheckRand >= 91 && CheckRand <= 96) ? CheckRand + Fixup : CheckRand));
}

EncryptedPasswd=crypt(argv[1], salt);
printf("\nRequested pw= %s, Automatic Seed= %s, encrypted pw= %s\n",
argv[1], salt, EncryptedPasswd);
}

Re: modprpw - with SUPPLIED password

Rajeev Shukla — Fri, 20 Dec 2002 04:38:46 GMT

Hi mike,
Sorry for the delay, i went out for friday lunch.
Here is what you probably want. Try this it should definately compile and work.

#include
#include
#include
char *pass;
char *s = "JQ";
char *p = "hello123"; /* The password to be set */
main()
{
p = getpass(); /* Uncomment this line if you want */
pass = crypt(p,s);
printf("%s\n", pass);
encrypt(pass,s);
}

Re: modprpw - with SUPPLIED password

Rajeev Shukla — Fri, 20 Dec 2002 22:50:26 GMT

Hey mike have you got your problem fixed, or still got some queries.
Please assign points if the problem is soved to people you spent their valuable time for you.

Thanks
Rajeev

Re: modprpw - with SUPPLIED password

Mike_316 — Sat, 21 Dec 2002 02:16:25 GMT

Hey Guys!

The stinker works like a charm!! Thanks! I used the longer version of the encrypt.c, only for the random seeding. I managed to incorporate it beautifully into a series of scripts that keep the security high, and allows for a huge "password seeding" file.

Thanks again!

Mike