topic Re: Creating a password hash in Operating System - Linux

Creating a password hash

Jeff_Traigle — Thu, 15 Feb 2007 14:12:27 GMT

I have a script on HP-UX that I wrote that generates a hash of an 8 character string with makekey. Although the resulting hash seems to satisfy HP-UX for authenticating, SUSE Linux doesn't like it and won't authenticate until I change the password from the Linux system. (NIS is used so the same hash is used cross-platform.) Ideally, I'd like to keep the hash looking random instead of hard coding a known HP-UX- and SUSE-friendly hash for the default password we use when creating a new account. Any ideas?

Re: Creating a password hash

James R. Ferguson — Thu, 15 Feb 2007 18:08:00 GMT

Hi Jeff:

Perhaps:

# cat ./makepw
#!/usr/bin/perl -l
die "One arg expected\n" unless @ARGV;
print crypt(
$ARGV[0],
join( '',
( '.', '/', 0 .. 9, 'A' .. 'Z', 'a' .. 'z' )[ rand 64, rand 64 ] )
);
1;

...run as:

# ./makepw plaintext

Regards!

...JRF...

Re: Creating a password hash

Andrew Cowan — Fri, 16 Feb 2007 02:37:16 GMT

This is because the standard hashing algorithms used by the OS's are different. Most linux variants use MD5 as their standard.

Re: Creating a password hash

Steven E. Protter — Fri, 16 Feb 2007 05:02:36 GMT

Shalom,

Its also known that HP-UX systems with normal security will not authenticate to linux NIS servers with shadow password.

I'm not even sure it will work if you go trusted or install shaldow passwords.

SEP

Re: Creating a password hash

Jeff_Traigle — Fri, 16 Feb 2007 08:10:12 GMT

I'll give that script a try.

The NIS servers (both master and slaves) are HP-UX systems. The Linux systems are only NIS clients.

I found it a bit odd that using makekey to generate the hash would work for HP-UX, but not SUSE... yet changing the password from the Linux client (logged in as root to change the new user's password), created a hash that was decipherable by both platforms. I don't remember if I tried changing the password from the HP-UX systems. Although that won't help the solution, it would be interesting to know the result.

Re: Creating a password hash

Frank Larsen — Fri, 16 Feb 2007 10:03:33 GMT

I use this script generating passwords on a SUSE-servers:

# Sets the maximum size of the password the script will generate
MAXSIZE=8

# Holds valid password characters. I choose alpha-numeric + the shift-number keyboard keys
# I put escape chars on all the non alpha-numeric characters just for precaution
array1=(
q w e r t y u i o p a s d f g h j k l z x c v b n m Q W E R T Y U I O P A S D
F G H J K L Z X C V B N M 1 2 3 4 5 6 7 8 9
)

# Used in conjunction with modulus to keep random numbers in range of the array size
MODNUM=${#array1[*]}

# Keeps track of the number characters in the password we have generated
pwd_len=0

# The outer while loop starts at 0 and loops till MAXSIZE, creating a passwd char each iteration.
# The shells $RANDOM variable creates a semi-random unsigned number. This is our entropy. =x
# x simply holds some random unsigned int that will be used to make the character scramble.
# 500 was choosen for speed and nothing else. Leave out the mod 500 if you want or change it.
# The inner loop displays the password characters. Tput keeps the cursor in the proper position.
# Mod MODNUM keeps the random number inside the size of the array so it doesnt over index.
PASSWORD=""
while [ $pwd_len -lt $MAXSIZE ]
do
x=$(($RANDOM%500))
y=0
while [ $y -lt $x ]
do
((y++))
index=$(($RANDOM%$MODNUM))
done
PASSWORD="${PASSWORD}${array1[$index]}"
((pwd_len++))
done

# Crypt password
PASSWORDCRYPT=$(openssl passwd "$PASSWORD")

Re: Creating a password hash

Jeff_Traigle — Fri, 16 Feb 2007 10:51:05 GMT

Nice. Both the perl script and the "openssl passwd" command seemed to create hashed passwords that both HP-UX and SUSE were happy with. Think I'll go with the openssl option though. One less script to worry about and doesn't require generating the seed characters.

Re: Creating a password hash

Jeff_Traigle — Fri, 16 Feb 2007 11:28:35 GMT

*Grumble*

Ok. Now I'm thinking my original algorithm with make key worked for the hash too.

Here's what I've narrowed the problem to now that I've played with it some more...

Once the hash is created, I append ",..." to immediately expire the password so the user is forced to change it when they first login. This works fine on the HP-UX systems. The Linux systems can't handle this.

If I login to an HP-UX system and change the password, the hash created for the new password is also not recognized by the Linux systems.