HPE Community
Operating System - HP-UX
1834660 Members
2198 Online
110069 Solutions
New Discussion

Re: Scripting CRACK on new passwords

 
SOLVED
Go to solution
TheJuiceman
Super Advisor

‎03-04-2004 02:48 PM

‎03-04-2004 02:48 PM

Scripting CRACK on new passwords

Hey everyone!!!

I have a project that I need a little help with. I need to develop something that works something like the following:

1. CRACK is ran on /etc/passwd and failing logins are written to a file
2. A job is ran that will take a dummy .profile file and replace the .profile of all offending CRACK ID's. It will make a copy of the original .profile first.
3. The dummy .profile will consists of the following:
A. Force a password change by the user when they login.
B. CRACK is ran on the new password
C. If the new password is successful, the user is allowed on.
D. If the password fails, it asks for another and again runs CRACK against it.
E. Once a good password has been submitted, the dummy .profile copies the original .profile back into place so that all is normal on the user's next login.

Any ideas to make this a reality? Thanks.
0 Kudos
Reply
10 REPLIES 10
Steven E. Protter
Exalted Contributor

‎03-04-2004 04:15 PM

‎03-04-2004 04:15 PM

Solution

Re: Scripting CRACK on new passwords

Linux does this right now. It won't let the regular users use guessable passwords.

HP did not think that was safe. There are usable versions of crack out there but integrating them into a password change is a problem.

The reason is on HP boxes, it takes quite a while to crack passwords, sometimes half an hour. You can't have a user waiting that long on a password change.

Using crack for a password check, or rather the crack library is documented somewhere on the site http://www.tldp.org

The methodology should be portable.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
TheJuiceman
Super Advisor

‎03-05-2004 11:17 AM

‎03-05-2004 11:17 AM

Re: Scripting CRACK on new passwords

Steven,
Thanks for the response. In the script, we would allow CRACK to run for only 30 seconds. Testing has shown us that over 85% of the passwords that CRACK will break it gets in the first 30 seconds. And it is only running against one password which would make it more efficient.
We realize that this probably is not SOP in how to do things, but we feel that this would be a good way to maintain our passwd file in a simple way.
Oh, and we would still periodically run CRACK on the entire passwd file. If a newer password then fails, it will then ask the user to come up with another password.

Thanks
0 Kudos
Reply
Chris Wong
Trusted Contributor

‎03-05-2004 12:54 PM

‎03-05-2004 12:54 PM

Re: Scripting CRACK on new passwords

npasswd on HP-UX will work (to not let them use a guessable password). You can incorporate cracklib into it.

- Chris
Reply
Sridhar Bhaskarla
Honored Contributor

‎03-06-2004 04:50 PM

‎03-06-2004 04:50 PM

Re: Scripting CRACK on new passwords

Hi Bobby,

That's quite an interesting approach.

My suggestion would be to force the user to set a dificult password instead of running crack on it.

You can acheive it by specifying the password length and it's format like atleast one uppercase, one lowercase, one digit, one special etc.,by implementing /etc/default/security file. This way users will have to set relatively strong passwords. Then run crack regularly on all the passwords and notify the ones that do not have strong passwords. Look at man page of security. It's by default available with 11i. For 11i, if you don't have latest patch sets, it's through a patch.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
Reply
Steven E. Protter
Exalted Contributor

‎03-06-2004 05:24 PM

‎03-06-2004 05:24 PM

Re: Scripting CRACK on new passwords

Most distributions of Linux now ship with the cracklib integrated into the pasword checking sequence.

This server can be the LDAP server for the rest of the organiztion, the single sign on center as it weere.

The other machines can be LDAP integrated in. This way you don't need any special programming.

Just throwing the idea as a way to get the job done quickly. The price for Linux is certainly right.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
David Burgess
Esteemed Contributor

‎03-06-2004 10:18 PM

‎03-06-2004 10:18 PM

Re: Scripting CRACK on new passwords

A word of warning when running crack. Make sure that your management are happy with you cracking users passwords. I've known it be a a security violation making it a sackable offence. Although your intention is good, don't get caught out!

Regards,

Dave.
Reply
Tim Maletic
Valued Contributor

‎03-08-2004 01:59 AM

‎03-08-2004 01:59 AM

Re: Scripting CRACK on new passwords

cracklib via pam is the way to go, but failing that, your process looks doable. But time shouldn't be a factor, since your process should have access to the actual password. (That's one reason why cracklib is so fast -- it doesn't have to waste any time on hashing functions.)
Reply
Jeff Schussele
Honored Contributor

‎03-08-2004 02:19 AM

‎03-08-2004 02:19 AM

Re: Scripting CRACK on new passwords

Hi Bobby,

I've *never* been a fan of running Crack or John the Ripper, etc on "live" systems and as pointed out if you must - you *better* have *written* mgmnt approval as *high* as you can go. I'd much rather collect the data & run it offline & then disable/enable accounts as needed.

BUT...I think you'd be much better off to convert to trusted & use the /etc/default/security file to force hardened PW as Sri points out. Then you *don't* have to mess around with crack scripts.

My $0.02,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
Reply
Steven Sim Kok Leong
Honored Contributor

‎03-13-2004 05:55 PM

‎03-13-2004 05:55 PM

Re: Scripting CRACK on new passwords

Hi,

I agree with Jeff. However, if your security policy mandates the requirement to perform password auditing or the audit unit needs to perform such a requirement, then you will need to have that in place.

I find john the ripper easy to use on Linux, though I have never attempted it on HP-UX though. A little research will probably tell whether it integrates with TCB seamlessly or not.

If your system was never trusted, don't get the shock of your life when you find many accounts with password equivalent to userid.

Hope this helps. Regards.

Steven Sim Kok Leong
Reply
TheJuiceman
Super Advisor

‎11-05-2004 12:01 PM

‎11-05-2004 12:01 PM

Re: Scripting CRACK on new passwords

Thanks to all of you for the help. I will definitely try your suggestions before going with Crack. Sorry it took so long to respond.

Bobby
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.