Security
cancel
Showing results for 
Search instead for 
Did you mean: 

tru64 enhanced security u_oldcrypt,u_newcrypt values changing

sumedh
Occasional Visitor

tru64 enhanced security u_oldcrypt,u_newcrypt values changing

Hi,
I have a custom application running on a tru64 box..it is basically
used to provision user accounts and their passwords,etc..i run it with
root privileges..the default database shows u_newcrypt#2 as one of the
entries..when i use the OS api functions through my application to
update a user passwd(i write to the auth.db) i can login with my new
passwd for the same user..also,when i do a edauth -dp -g ,i
dont see any values for the u_oldcrypt and u_newcrypt
attributes..now,immediately after this I do a passwd change on the box
using "passwd " ..i do an edauth and now I see u_oldcrypt is
2,the output doesnt have any mention of u_newcrypt....i can login with
this new passwd as well ..I run another passwd change through my custom
application on the same user and I get u_oldcrypt as 1 in my edauth
output..but now I cant login with this password or even the previously
set password..the user account has become unusable.I suspect u_oldcrypt
is causing this problem in this sequence of operations..but i cant
figure out what its used for and how does it relate to u_newcrypt?Can
anyone throw any light on how these two values correalte whether
u_oldcrypt=u_newcrypt after a password change?My custom code uses
crypt() which is I believe corresponds to u_newcrypt value 2 encryption
mechanism..any help is highly appreciated,
Many Thanks,
Sumedh


4 REPLIES
Venkatesh BL
Honored Contributor

Re: tru64 enhanced security u_oldcrypt,u_newcrypt values changing

Looks like the crypt algorithm might have been changed. Look into 'man prpasswd' for some info on these parameters.
Kasper Hedensted
Trusted Contributor

Re: tru64 enhanced security u_oldcrypt,u_newcrypt values changing

Hi Sumedh,

From prpasswd(4):

u_oldcrypt:
This field is the algorithm number used to encrypt the current password.

u_newcrypt:
This field is the algorithm number used to encrypt future passwords.


And the algorithm values are defined in /usr/include/prot.h:

#define AUTH_CRYPT_BIGCRYPT 0 /* index to use bigcrypt */
#define AUTH_CRYPT_CRYPT16 1 /* index to use crypt16 */
#define AUTH_CRYPT_OLDCRYPT 2 /* index to use old crypt */
#define AUTH_CRYPT_C1CRYPT 3 /* index to use /etc/passwd */


Cheers,
Kasper
sumedh
Occasional Visitor

Re: tru64 enhanced security u_oldcrypt,u_newcrypt values changing

Hi,
yes I am already aware of this information..I too suspect the crypt algorithm that my application is using and one used by "passwd" command on the box are using differen algorigthms,but I cant understand how u_oldcrypt and u_newcrypt correalte.does u_oldcrypt get the value of u_newcrypt just after a passwd change..logically tht shud happen shudnt it?if u_newcrypt told us the algo to encrypt future passwds then ur app wud use tht algo while changing the passwd..this value I would have thot got reflected in te u_oldcrypt attribute which tells the OS what algo the current passwd was set using.is this the way it is?
Ann Majeske
Honored Contributor

Re: tru64 enhanced security u_oldcrypt,u_newcrypt values changing

My response from comp.unix.tru64:

u_newcrypt is the encryption method used to encrypt future passwords. The OS will first look for it in the user's account, if it doesn't find it there it will take the value from the default file. So, if you want your custom application to accurately reflect the Enhanced Security encryption method that has been set you should be looking at this value and using it to determine how the user's password is encrypted. One easy way to do this would be to use the sia_chg_password() routine. It will work for any SIA security mechanism you have enabled on your system (Base, Enhanced, etc).

u_oldcrypt is the encryption method used to encrypt the current password. This should always be in the user's account information, it doesn't make sense to have it in the default file. u_oldcrypt is used by the OS to determine how to encrypt the password to compare it with the current password. Apparently your custom application is setting it to the wrong value (1 instead of 2). This would explain why the user can't login, the same password encrypted using two different methods will not match.

The OS encryption values for u_oldcrypt and u_newcrypt (there is a way for you to define your own additional encryption values, but I'm assuming that this is not the case here) are in prot.h:
/* Indices for fd_{old,new}crypt algorithms */
#define AUTH_CRYPT_BIGCRYPT 0 /* index to use bigcrypt */
#define AUTH_CRYPT_CRYPT16 1 /* index to use crypt16 */
#define AUTH_CRYPT_OLDCRYPT 2 /* index to use old crypt */
#define AUTH_CRYPT_C1CRYPT 3 /* index to use /etc/passwd
*/
#define AUTH_CRYPT__MAX 3 /* last legal index */

So, if you're using crypt() to encrypt the password, you should be setting u_oldcrypt to 2 not 1 in your custom application. Basically, you need to set the fg_oldcrypt field to 1 (to indicate that the u_oldcrypt value should be set) and the fd_oldcrypt field to 2 (to indicate the value to set for u_oldcrypt). See the Security Programming manual and the putespwnam() man page for more information. But, as I stated above, the easiest way to deal with this would be to use the sia_chg_password()routine instead.

Ann Majeske