HPE Community
Operating System - HP-UX
1830616 Members
2693 Online
110015 Solutions
New Discussion

password changes

 
SOLVED
Go to solution
Jason Berendsen
Regular Advisor

‎07-10-2002 05:38 AM

‎07-10-2002 05:38 AM

password changes

I wanted an easy way to change passwords across 17 different servers without setting up NIS. I created a script that utilizes sed to change the password field in the /etc/passwd file to the same encrypted password across all servers. What kind of security problems would this open up? It is still using the encrypted password it is just the same encrytion on each server.
0 Kudos
Reply
6 REPLIES 6
steven Burgess_2
Honored Contributor

‎07-10-2002 05:47 AM

‎07-10-2002 05:47 AM

Solution

Re: password changes

Hi

If you manage to get access to one server , you have access to them all via that specific id. Not that the intruder would now that the passwd's are the same. It wouldn't be hard to work out though

I take it that you have .rhosts set up on each server as well ?

HTH

Steve
take your time and think things through
Reply
Jason Berendsen
Regular Advisor

‎07-10-2002 05:51 AM

‎07-10-2002 05:51 AM

Re: password changes

Yes we do have an .rhosts set up. I am aware that this is a security risk.

Jason
0 Kudos
Reply
R.Mielen
Advisor

‎07-10-2002 05:52 AM

‎07-10-2002 05:52 AM

Re: password changes

allo,

I'v tried it before also with sed and aslong
as your hosts.equiv & .rhosts are set up well
then there will be no problems.
Atleast not for me a couple of month ago.

GrtZZ

R.Mielen
I haven't failed, I only found 10,000 way's that won't work
Reply
A. Clay Stephenson
Acclaimed Contributor

‎07-10-2002 05:52 AM

‎07-10-2002 05:52 AM

Re: password changes

The passwd file itself is probably no less secure. In fact, it's about at the level NIS would leave it since a 'ypcat passwd' would reveal the hashed passwd's to anyone. Your real security risk is the .rhosts and hosts.equiv that allow your remsh'ed sed commands to work. Theother risk is that your script probably create a temp file before moving back to /etc/passwd. Someone might be able to write a daemon to look for the existence of that temp file and subvert it before it is moved into final position.

You should really give NIS a try. It's very easy to set up. You can even use SAM.


If it ain't broke, I can fix that.
Reply
PIYUSH D. PATEL
Honored Contributor

‎07-10-2002 05:59 AM

‎07-10-2002 05:59 AM

Re: password changes

Hi,

To increase your security further, you should go for the NIS or convert your system to a trusted system using SAM.

.rhosts, hosts.equiv files are security loopholes.

Piyush
0 Kudos
Reply
steven Burgess_2
Honored Contributor

‎07-10-2002 07:34 AM

‎07-10-2002 07:34 AM

Re: password changes

Hi

Here is the doc for setting up nis

http://docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/B1031-90048/B1031-90048_top.html&con=/hpux/onlinedocs/B1031-90048/00/00/20-con.html&toc=/hpux/onlinedocs/B1031-90048/00/00/20-toc.html&searchterms=nis&queryid=20020710-084235

HTH

Steve
take your time and think things through
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.