Re: Encrypted Password Audit

Simpson · ‎03-20-2009

I am being asked to validate all users have encrypted passwords on a non-trusted (no shadow) 11iV1. I am having an issue understanding how to do this.

Thanks
Mike

TTr · ‎03-20-2009

> I am being asked to validate all users have encrypted passwords

By whom? You need to go back to them and ask for details.

All passwords are encrypted. If you are being asked to check if there are passwordless accounts, you have to check /etc/passwd.

If you are being asked if all unix logins over the network are encrypted, that's a different story. You need to stop using telnet/rlogin/ftp and start using ssh.

Jeff_Traigle · ‎03-20-2009

Well, all passwords on a UNIX system are hashed (not really encrypted). If the system is non-trusted and not using shadow password, the hashed password is in /etc/passwd (second colon-separated field).

--
Jeff Traigle

Bijeesh · ‎03-20-2009

Hi,
You can check it on /etc/passwd file.
If User1:liJnoo0kgFv2c:107:20:,,,:/bsr/bsr247:/usr/bin/sh

if the second field containing some thing like " liJnoo0kgFv2c" , user having ncrypted passwd.

rgds
Bijeesh

Patrick Wallek · ‎03-20-2009

There are some things you need to understand as part of your audit as well.

There are 3 possibilities for the password field in /etc/password.

1) A **VALID** encrypted/hashed password. This is a string that is 13 characters long and contains **ONLY** '.', '/', 'A-Z', 'a-z' and '0-9' (not counting the single quotes). There could be another string, separated by a comma, after the hashed password that denotes password aging.

2) An **INVALID** "password". This can be a string that is **NOT** 13 characters long, or a 13 character string that contains a character **OTHER THAN** those described above.

An account set up like could be considered to be locked since it would be impossible to log into it.

3) An **EMPTY** passowrd. This is where the 2nd field in the /etc/passwd file is **BLANK**. For example: user1::1:2:GECOS:/home/me:/usr/bin/sh

Note that there is nothing in the field after the user name.

All of these should be taken into account when doing your audit.

Patrick Wallek · ‎03-20-2009

By the way doing a 'man 4 passwd' explains in a bit more detail about the passwd field in the passwd file.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Encrypted Password Audit

Encrypted Password Audit