HPE Community
Operating System - HP-UX
1834925 Members
2642 Online
110071 Solutions
New Discussion

Passwd Question

 
SOLVED
Go to solution
joe_91
Super Advisor

‎09-20-2005 05:36 AM

‎09-20-2005 05:36 AM

Passwd Question

We have to provide the password reset1r in encrypted
form in a useradd script(our own script). We got the
encrypted form of reset1r by creating a dummy user
with
this password . The entry for that user came as
test1:H9gMzRWn2q42M,A/xO:10186:20:,:/home/test1:/bin/ksh.

Here ':' is the delimiter and should we take the
encrypted password as
H9gMzRWn2q42M,A/xO or H9gMzRWn2q42M or
H9gMzRWn2q42M,A/ ? Because many
other user entries in the passwd file is having only
till A/ and many other
users have the encrypted passwords ending in '.,A/'
instead of ',A/'.
Could someone tell which character will be the
encrypted password? and whether our approach has any
gotchas...??

Thanks
Joe.
0 Kudos
Reply
5 REPLIES 5
john kingsley
Honored Contributor

‎09-20-2005 05:49 AM

‎09-20-2005 05:49 AM

Re: Passwd Question

The encrypted password will be "H9gMzRWn2q42M" the A/xO is the password aging information in base 64. If you don't want to force the users to change their passwords at regular intervals, you could leave ,A/xO out of the password field.
0 Kudos
Reply
Hakan Aribas
Valued Contributor

‎09-20-2005 05:49 AM

‎09-20-2005 05:49 AM

Re: Passwd Question

An entry in the /etc/passwd file has the following form:

format:
Name:Password: UserID:PrincipleGroup:Gecos: HomeDirectory:Shell

example:
root:q.mJzTnu8icF.:0:10:God:/:/bin/csh
0 Kudos
Reply
Mel Burslan
Honored Contributor

‎09-20-2005 06:30 AM

‎09-20-2005 06:30 AM

Re: Passwd Question

your password in the encrypted form of

H9gMzRWn2q42M,A/xO

is pre-expired. If this is intentional, good for you. If you did not do this and it is coming up like that on my system, then you need to think about pre-exprint the password before giving it to the users.

if you omit the , and 4 characters following it, your password will be permanent and it will never expire, i.e., H9gMzRWn2q42M form.

to guarantee that it is preexpired all the time, you can use this string (old trick from hp-ux 5.x times but still works)

H9gMzRWn2q42M,..

If you happen to convert this system to a trusted system in the future, all bets are off as the password policies will change and encryption lengths etc will be problematic at best. So, if a trusted system conversion is in the future, proceed with caution.
________________________________
UNIX because I majored in cryptology...
Reply
A. Clay Stephenson
Acclaimed Contributor

‎09-20-2005 06:30 AM

‎09-20-2005 06:30 AM

Solution

Re: Passwd Question

The comma separated field at the end of the passwd hash is the aging parameters in base64. One character indicate the maximum age of the password, another indicates the minimum time between changes, and two are used toi encode in base64 the last time the password was changed. All of these values are in weeks. Man 4 passwd for details.

Rather than using the Mickey Mouse approach of copying a passwd hash, why not create a hash using the same algorithm the system does?

The attached Perl script will do this:

typeset PWHASH=""
typeset PLAINTEXT="reset1r"
PWHASH=$(echo "${PLAINTEXT}" | makepw.pl)

Note: This will produce a different but equivalent hash each time because the "salt" is chosen randomly --- just like the real thing. Not to worry, the same plaintext key will still generate the correct hash because the login routine strips off the first two characters (the "salt") and when that salt is combined with your plaintext password the identical hash is produced.

echo "PWHASH=\"${PWHASH}\""
If it ain't broke, I can fix that.
Reply
Giri Sekar.
Trusted Contributor

‎09-20-2005 07:54 AM

‎09-20-2005 07:54 AM

Re: Passwd Question

Hi:

Up to the , is the encrypted password(in /etc/passwd - non-secure - it will be exactly 13 chars: 11 for the encryption and 2 for the "salt"), in TCB files it
will be N * 11 + 2 (in which N is determined by the password length, which can be larger then 8 in secure systems, N is the next multiple of 8 >+ length of the clear passwd, that is: 1 for password up to 8 chars, 8 for up to 16, etc.).So each 11 "crypt chars" are the encoding of (up to) 8 clear chars in the password itself. Again with 2 extra chars for the salt. The part starting AFTER the comma is the password aging part, which doesn't have to be present (and never WILL be in trusted systems as the aging is stored
differently there).

See also "man 4 passwd" for the format of the /etc/passwd file, including info
about the encrypted password and the aging chars.

Thanks

Giri Sekar.
"USL" Unix as Second Language
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.