HPE Community
Operating System - HP-UX
1833187 Members
3192 Online
110051 Solutions
New Discussion

Re: one ID with several set of password ?

 
Iqram_1
New Member

‎02-14-2006 05:48 PM

‎02-14-2006 05:48 PM

one ID with several set of password ?

Hi,
Posting here after I cant get an answer why there is 1 character in my password on HP-UX machine that can be replaced with another character that make it possible to use several set of password using 1 userID.

ex if I set my password as :
username : iqram
password : Ba||||

This password can be used as Baboon or Babang
this "|" (shift + \) is turning the char as a space that can be fill in with any character as long its using the same number of space.

Is this a security issue or is there why patches to solve this problem.
0 Kudos
Reply
11 REPLIES 11
Steven E. Protter
Exalted Contributor

‎02-14-2006 06:06 PM

‎02-14-2006 06:06 PM

Re: one ID with several set of password ?

Shalom Iqram,

1 User multiple passwords?

Thats a pretty big security violation. Each user has a numeric user id in the /etc/passwd file which identifies it to the login process.

To have multiple passwords for the same user, you'd need multiple copies of the user. I'm believe at that point the login process would only work for one of the users, probably the one closest to the top of the configuration file.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Peter Godron
Honored Contributor

‎02-14-2006 06:07 PM

‎02-14-2006 06:07 PM

Re: one ID with several set of password ?

Hi,
this does not happen on any of my systems.
Are you running trusted or untrusted? If trusted, check your policies.
As far as I know only the characters which are used by getty may be confusing, such as
#, @, /, !, _, backspace, ^U, ^D, or &
0 Kudos
Reply
Iqram_1
New Member

‎02-14-2006 06:08 PM

‎02-14-2006 06:08 PM

Re: one ID with several set of password ?

Untrusted
0 Kudos
Reply
Iqram_1
New Member

‎02-14-2006 06:13 PM

‎02-14-2006 06:13 PM

Re: one ID with several set of password ?

Hi Steven E Protter,
You should read the post.
0 Kudos
Reply
Peter Godron
Honored Contributor

‎02-14-2006 06:17 PM

‎02-14-2006 06:17 PM

Re: one ID with several set of password ?

Hi,
I am also running untrusted. What OS and patch level are you at?
So you are using the "|" as a "wildcard" for passwords? Normally the password security is the tighest of any executable on the system, so I suspect it is something in the setup on your machine. Tricky thing will be to find out what.
Could you provide a log?
0 Kudos
Reply
Elmar P. Kolkman
Honored Contributor

‎02-14-2006 06:17 PM

‎02-14-2006 06:17 PM

Re: one ID with several set of password ?

It is caused by the way HP (and other unixes) check a password. They don't keep the unencrypted passwd anywhere (accept for some application files, like .netrc). They only have an ecnrypted version.

When you (try to) login, the password you type is encrypted and then checked with the encrypted passwd on the system. If they match, the login process continues.

If you wanted these wildcards, it would have to encrypt every possible version to try to match what you want...
Every problem has at least one solution. Only some solutions are harder to find.
0 Kudos
Reply
Iqram_1
New Member

‎02-14-2006 06:24 PM

‎02-14-2006 06:24 PM

Re: one ID with several set of password ?

what I want to say is, "|" is acting as a wildcard that is dangerous.
0 Kudos
Reply
Elmar P. Kolkman
Honored Contributor

‎02-14-2006 06:31 PM

‎02-14-2006 06:31 PM

Re: one ID with several set of password ?

Sorry, I misunderstood the question.

There is another thing in the encryption used: not all bits of all characters are used in all versions of the encryption. In the older versions, for instanct, only 6 bits where used.

But the effect of your pipe symbols I can't explain... And the effect doesn't show on our systems here. What version of HP-UX are you running ?
Every problem has at least one solution. Only some solutions are harder to find.
0 Kudos
Reply
Iqram_1
New Member

‎02-14-2006 06:34 PM

‎02-14-2006 06:34 PM

Re: one ID with several set of password ?

[xxxxxx]home/iqram $ uname -a
HP-UX xxxxxx B.11.11 U 9000/869 1472564351 unlimited-user license
[xxxxxx]home/iqram $
0 Kudos
Reply
Peter Godron
Honored Contributor

‎02-14-2006 07:42 PM

‎02-14-2006 07:42 PM

Re: one ID with several set of password ?

Hi,
I have had a good attempt at getting the same behaviour on my machines, but without luck.
Could you please provide a logfile.
0 Kudos
Reply
Ralf Seefeldt
Valued Contributor

‎02-15-2006 07:01 PM

‎02-15-2006 07:01 PM

Re: one ID with several set of password ?

Hello Iqram,

I can neither reproduce this behaviour with an HP-UX 10.20 system.
My system has not been patched for a long time. The most up-to-date patches of each kind are:
PHSS_19981
PHNE_18763
PHKL_24281
PHCO_19780

I do not think, that any patch might cause such a securityhole, but I would not completely rule it out.

I suppose, your system language is US-english. Did you try to reproduce the problem with an other system language?

Defining further passwordrestrictions (like minimum length or possibly forbidden charakter - I do not know, whether this may be a option - will be available only on trusted systems)

I hope you will solve your problem.

Ralf
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.