HPE Community
Operating System - HP-UX
1833757 Members
2907 Online
110063 Solutions
New Discussion

Re: Checking password entry for common patter

 
SOLVED
Go to solution
Stuart Powell
Super Advisor

‎05-16-2006 05:19 AM

‎05-16-2006 05:19 AM

Checking password entry for common patter

We are running HP-UX 11i without password shadowing on a non-trusted system. I would like to be able to review the encrypted password entry for each user to see if they are using an unsafe password string. When the systems were first brought on-line we normally set each users password to a common string. We have since discarded that practice when a user calls in, but since we cannot restrict the password string by age a savvy user can change their password back to the common string.
I have loaded crack 5.0 and have run it, but I haven't figured out how to add that common string to a dictonary.
Any help on accomplishing my objectives would be appreciated.

Stuart
Sometimes the best answer is another question
0 Kudos
Reply
4 REPLIES 4
Steven E. Protter
Exalted Contributor

‎05-16-2006 05:36 AM

‎05-16-2006 05:36 AM

Re: Checking password entry for common patter

Shalom,

crack is a dangerous thing to have on a system, easily abused.

On the other hand,Linux uses exactly that library to check passwords.

Not knowing how the integration is done, I'd suggest looking at a Linux machine to see how its done. Since Linux is open source, it may provide you a solution you can use on HP-UX.

Do share if you figure it out.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎05-16-2006 10:26 AM

‎05-16-2006 10:26 AM

Solution

Re: Checking password entry for common patter

A better and safer approach is to use Perl because it has all the routines you need to extract the passwd fields getpwent() and also evaluate the password hash (crypt).

The fundamental idea is to use the crypt() function to compare the plaintext password to the hash. If crypt() produces an identical hash then the same plaintext key was used. You actually pass the current passwd hash to the crypt function because the 1st 2 characters of the hash are the "salt" which is used to perturb the hashing algorithm.

#!/usr/bin/perl

my $plaintext = "secret";
my $currentpwhash = "wCNuEoWfzgPJ.";

if (crypt($plaintext,$currentpwhash) eq $currentpwhash)
{
print "$plaintext was used; bad password\n";
}
else
{
print "OK\n";
}


If it ain't broke, I can fix that.
Reply
James R. Ferguson
Acclaimed Contributor

‎05-16-2006 12:02 PM

‎05-16-2006 12:02 PM

Re: Checking password entry for common patter

Hi Stuart:

As Clay notes, Perl makes life easy. You can use the following script to examine your password database.

#!/usr/bin/perl
#@(#)defpws $ Find default passwords - JRF $

use strict;
use warnings;
use File::Basename;

my $defpass = shift or die "Usage: ".basename($0)." Default_Password\n";
my ($name, $passwd, $uid);

while (($name, $passwd, $uid) = getpwent) {
if (crypt ($defpass, $passwd) eq $passwd) {
print $name, "(id=", $uid, ") is using default password\n";
}
}
1;

...Name the script "defpws" (or anything you want) and do:

# ./defpws sillypw

...This will examine your password database and report any and all users using a password of "sillypw". The output would look like:

dummy(id=1001) is using default password
dummy2(id=1002) is using default password

Regards!

...JRF...
Reply
Stuart Powell
Super Advisor

‎05-16-2006 11:58 PM

‎05-16-2006 11:58 PM

Re: Checking password entry for common patter

Thanks Clay and James. We have perl on our systems, so I'll take your scripts and try to develop something that works.

I appreciate the head start.

Stuart
Sometimes the best answer is another question
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.