HPE Community
Operating System - HP-UX
1834532 Members
3381 Online
110069 Solutions
New Discussion

Re: password validation

 
SOLVED
Go to solution
KSB_1
Occasional Advisor

‎04-27-2004 09:22 AM

‎04-27-2004 09:22 AM

password validation

I need to validate a unix system user in a script, against the userid and password pair he/she enters when the script interactively asks but I am not sure how to encrypt the clear password to make the comparison to the encrypted version in the trusted system user database. Script will run with uid-0 privileges, so accessing the file containing the password will not be a problem. But I could not figure out how to encrypt the password.

Any help is greatly appreciated
0 Kudos
Reply
11 REPLIES 11
Hazem Mahmoud_3
Respected Contributor

‎04-27-2004 09:45 AM

‎04-27-2004 09:45 AM

Re: password validation

You can use the C function, crypt() for this. If you have the hp-ux 11i security book by Chris Wong, it goes into this in Chapter 2.

-Hazem
0 Kudos
Reply
KSB_1
Occasional Advisor

‎04-27-2004 09:58 AM

‎04-27-2004 09:58 AM

Re: password validation

unfortuantely I do not have this book and likelihood that I can lay my hands on it is slim to none in the near future.

is there any other way ?
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎04-27-2004 10:05 AM

‎04-27-2004 10:05 AM

Solution

Re: password validation

Does a hog like slop?

If you wantr to do this in a scripting language the answer is Perl. Note that the UNIX crypt function is actually a hash so that the process is not reversible. The idea is that you pass in the plaintext passwd as the first argument to crypt and the first two characters (the salt) of the stored passwd hash to the crypt function to produce a new hash. If this hash is identical to the original hash, the passwd's match. Perl's crypt function automatically ignore anything pass the first 2 characters for the salt argument. Man perlfunc and look at the crypt function for more details.

Attached is a 3 minute example. It returns 0 for ok and non-zero for anything else.

pwtest.pl
STAT=${?}
if [[ ${STAT} -eq 0 ]]
then
echo "All ok"
else
echo "You be bad"
fi
If it ain't broke, I can fix that.
Reply
Juergen Tappe
Valued Contributor

‎04-27-2004 10:16 AM

‎04-27-2004 10:16 AM

Re: password validation

The Script is running with SUID Bit to root - correct ?

In this case here a shell script part, which could solve it:

USER=$(who am i) # should return the real logged in user / not sure if you need to i.e. cut -c1-8
su bin -c "su $user -c \"true\"" ; OK=$?
# as bin the user HAS to enter the password
if [ "$OK" != 0 ]
then
# su failed
echo "Errormessage"
exit 1
fi

# rest of your script


$(logname) can work instead to $(who am i) as well.
Working together
0 Kudos
Reply
KSB_1
Occasional Advisor

‎04-27-2004 10:35 AM

‎04-27-2004 10:35 AM

Re: password validation

Thank you.
pwtest.pl did the trick
0 Kudos
Reply
doug hosking
Esteemed Contributor

‎04-27-2004 07:09 PM

‎04-27-2004 07:09 PM

Re: password validation

Be careful. 'trusted system user database' is a key here. In trusted systems, passwords can be much longer than the usual 8 characters. See the differences between crypt() and bigcrypt().
0 Kudos
Reply
KSB_1
Occasional Advisor

‎04-29-2004 06:51 AM

‎04-29-2004 06:51 AM

Re: password validation

Well, more problems encountered while I was trying to incorporate this into my general solution and I think this is mainly due to my perl instance but not being proficient (read as novice) in perl, I am not sure where to look. Here is the problem :

pwtest.pl is in /usr/contrib/bin as follows :

[/home/mortaluser]$ ll /usr/contrib/bin/pwtest.pl
-rws--x--x 1 root sys 498 Apr 28 11:27 /usr/contrib/bin/pwtest.pl
[/home/mortaluser]$ /usr/contrib/bin/pwtest.pl
YOU HAVEN'T DISABLED SET-ID SCRIPTS IN THE KERNEL YET!
FIX YOUR KERNEL, PUT A C WRAPPER AROUND THIS SCRIPT, OR USE -u AND UNDUMP!

I hopelessly tried to put a shell script like the one below, placed in the same /usr/contrib/bin directory:
[/home/mortaluser]$ cat /usr/contrib/bin/pwtest_wrapper.sh
#!/usr/bin/ksh
#file: pwtest_wrapper.sh

/usr/contrib/bin/pwtest.pl
result=`echo $?`
echo " "

if [ $result -eq 0 ]
then
echo "user validated OK!"
else
echo "user credentials NO GOOD!"
fi

[/home/mortaluser]$ ll /usr/contrib/bin/pwtest_wrapper.sh
-rws--x--x 1 root sys 163 Apr 29 08:38 /usr/contrib/bin/pwtest_wrapper.sh
[/home/mortaluser]$ /usr/contrib/bin/pwtest_wrapper.sh
YOU HAVEN'T DISABLED SET-ID SCRIPTS IN THE KERNEL YET!
FIX YOUR KERNEL, PUT A C WRAPPER AROUND THIS SCRIPT, OR USE -u AND UNDUMP!


I have no clue what this means or how to work around it. Again any help is greatly appreciated in advance.

Also, I will not be able to recompile perl and wreak havoc on already running applications dependent on perl as a side note.
0 Kudos
Reply
KSB_1
Occasional Advisor

‎04-29-2004 06:52 AM

‎04-29-2004 06:52 AM

Re: password validation

before I forget, a kernel change can happen on the day hell freezes over (or at least it seems that far away from today). So whatever bit was not set in kernel and sounds like it can fix my problem is not likely to happen anytime soon.
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎04-29-2004 07:00 AM

‎04-29-2004 07:00 AM

Re: password validation

The "kernel" here does not refer to the system kernel but rather the "kernel" Perl (executable) code. Your mistake was trying to make a Perl script a setuid script. Perl goes to great lengths to not let this work. Bear in mind, setuid for a shell script only has meaning to the shell executable because a shell script is not an executable. Because the passwd file must be readable by all, if all you are trying to do is verify a user then this will work. Get rid of the setuid bit.

I really wish that this feature was not supported in the Shell because it is a glaring security hole.
If it ain't broke, I can fix that.
0 Kudos
Reply
doug hosking
Esteemed Contributor

‎04-29-2004 07:14 AM

‎04-29-2004 07:14 AM

Re: password validation

Clay, newer HP-UX releases have a kernel tunable called 'secure_sid_scripts' that can be used to control whether setuid scripts are supported. As you note they can be a large security hole. Unfortunately I don't think there has been a PA-RISC release with this but it's in 11.22 and 11.23 and should be in the next version that supports PA-RISC.
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎04-29-2004 07:21 AM

‎04-29-2004 07:21 AM

Re: password validation

Yes, I'm well aware of that; it's just that setuid shell scripts were state-of-the-art stupid from the get-go --- they should have never been allowed. Setuid and setgid programs definitely have their place; that place just shouldn't include scripting languages.
If it ain't broke, I can fix that.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.