Trusted system and password check

Bolek Mynarski · ‎06-09-2003

Hello everyone,

I am in the process of conversion to "Trusted mode" of all our systems. In the process, we came across a system which uses an application that needs to verify that the logged in user is really who s/he is by re-authenticating him/her.

It's done by a simple C program which was written by somebody back in 1997. It simply encrypts a password passed by the user and checks it aginst the encyrpted password entry in the password file (running in "non trusted" mode).

I cannot code in C (although it is on my to-do list to start learning it) and of course, I am going out on a limb here posting this piece of code to the group in hope that maybe there is a simple solution that can be used to modify it. Here it is:

#include
#include
#include
#include

main(argc,argv)
int argc;
char *argv[];
{
char block[4],*p;
int edflag,flag;
struct passwd *ptr;

p=(char *)getlogin();

/* find entry in passwd file */
ptr = getpwnam(p);

/* build key */
block[0] = ptr->pw_passwd[0];
block[1] = ptr->pw_passwd[1];
block[2] = '\0';

/* create password */
p=crypt(argv[1],block);

/* Compare created and entered passwords */
if((strcmp(p,ptr->pw_passwd)) == 0)
printf("y");
else printf("n");

}

I can write (very efficiently) shell scripts or I can use PERL if needed. However, if the above code could be easily adjusted to be used in a trusted mode, that would be the most preferable solution.

Is there an easy way to "fix" it? If the solution can be provided, I will be enormously grateful. However, if a nudge in the right direction is given to solve this, I would be thankful too.

Any comments would be greatly appreciated.

Thanks.

It'snever too late to learn new things...

Massimo Bianchi · ‎06-09-2003

Hi,
like you i'm totally ignorant in C, but doing a man getpwnam it looks like the argument returned is a pointer to a password, so it may already work.

Did you try the piece of sortware, recompiled on a trusted server ?

All these call look like standard call, not custom, so they should work.

HTH,
Massimo

Massimo Bianchi · ‎06-09-2003

Hi, check also this:

SECURITY FEATURES
If the system has been converted to a trusted system, the password,
audit ID, and audit flag are not returned. The password will be the
default * that is in /etc/passwd and the audit ID and audit flag will
be set to -1. On trusted systems, if it is not necessary to obtain
information from the regular password file, /etc/passwd, users should
use getprpwent() to access the protected password database. See
getprpwent(3) and getspwent(3X).

putpwent() affects only /etc/passwd; the audit ID and audit flag in
the password structure are ignored. putprpwnam() must be used to
modify the protected password databse entries. See getprpwent(3).

always from "man getpwnam"

Massimo

Donny Jekels · ‎06-09-2003

#include

only knows how to read the /etc/passwd file.

find a handle that can read the file in the tcb direcotry.

will check and get back to you later in the day.

"Vision, is the art of seeing the invisible"

Darren Prior · ‎06-09-2003

In addition to Massimo's info, I believe that you will need to use bigcrypt(3c) rather than crypt(3c) to encrypt the plaintext.

regards,

Darren.

Calm down. It's only ones and zeros...

Bolek Mynarski · ‎06-09-2003

O.K. thanks to the previous respondents, getprpwent would be responsible for getting a password from trusted database.

Looking at the man page, it refers to three other C headers:
#include
#include
#include

I assume that they are supposed to be included in the srouce so one can call the password from tcb database.

Would anybody provide a "functional" example how to do this?

Thanks.

It'snever too late to learn new things...

Michael Steele_2 · ‎06-09-2003

The author of the 'C' program is using a link list as you would use an array to test two variables in a script, so for:

if((strcmp(p,ptr->pw_passwd)) == 0)

... you would read as..

if (( strcmp( ARRAY[0], ARRAY[1] )) == 0)

-or-

if (( strcmp( var1, var2 )) == 0)

...where the comma ',' is the delimiter and '0' is the return value of a successful or positive test. Non-zero is a failed test.

http://www.rt.com/man/strcmp.3.html

He also captures the entered password using this line:

main(argc,argv)

Where 'argc' returns the number of parameters on the command line and 'argv' returns the values of the parameters. arg[0] is the program name, arg[1] is the password:

http://www.ese-metz.fr/metz/recherche_et_developpement/parcel/manuel/node125.html

http://www.basis-canada.com/onlinedocs/documentation/commands/argv_function.htm

Check within /etc/profile to see where this program is being called and substitute it with your perl script. Use 'set -xv' in /etc/profile to debug. (* The default /etc/profile can be found in /usr/newconfig/etc/profile *)

Support Fatherhood - Stop Family Law

Sridhar Bhaskarla · ‎06-09-2003

Hi,

I can suggest a solution using a shell script to achieve what you are trying to do.

You can generate the encrypted password using the command "/usr/lib/makekey". Use the first two letters of the encrypted password as salt. For ex.,

Encrypted password for the password "Pass1234" in /tcb/files/auth/user is "oK3.ZEnf.GJZc". Here "oK" is the salt. If you run

echo "Pass1234oK" |/usr/lib/makekey

You should get oK3.ZEnf.GJZc. So your scripts would be

1. Ask the user to prompt the password
2. Get the encrypted password from /tcb/files/auth/firstletter_of_the_user/user
3. Run makekey on the user's password (in 1) with salt as the first two letters of the encrypted password (in 2)
4. Compare the result (in 3) with the encrypted password (in 2)

Look at man makekey for more details.

-Sri

You may be disappointed if you fail, but you are doomed if you don't try

Bolek Mynarski · ‎06-09-2003

Hi Sridhar,

I almost thought I had a solution. It seems that this would work for "non-trusted" systems. That's great! However, in a trusted environment it seems that the encrypted password string is much longer than the one makekey generates. It's too bad because I was so excited to just re-write that c code in shell.

It's getting warm, though. Thanks.

It'snever too late to learn new things...

Sridhar Bhaskarla · ‎06-09-2003

Hi,

No. It works. The example I gave is from the trusted system only.

-Sri

You may be disappointed if you fail, but you are doomed if you don't try

Darren Prior · ‎06-09-2003

I think that's because makekey uses crypt - whereas for trusted systems you need to use bigcrypt.

regards,

Darren.

Calm down. It's only ones and zeros...

Bolek Mynarski · ‎06-09-2003

Hi Sridhar,

makekey works for me if the system is not trusted. However, in a trusted system the key generated is too short. For example, I have a password which is encrypted to:

1zx90gShZ8tVksYtZhGnik9c

In this case, it's password1_

I run echo "password1_1z" | /usr/lib/makekey, I am getting:

1_rYl2/nnZcvo

which is quite a different string from the one above. Again, it works for me if the system is not trusted....

The system I'm on is HP-UX 11.00.

It'snever too late to learn new things...

Sridhar Bhaskarla · ‎06-09-2003

Hi,

I need to back out a bit. The first 8 chars are only significant and the later two are used as salt. In your example,

you will need to use

echo "password1z" |/usr/lib/makekey

1zx90gShZ8tVk

The first 13 chars of the encrypted password.

Yes I agree if the two users have password1 and password2 respectively, then you cannot find it out.

bigcrypt may be the solution but I still have to play with it.

-Sri

You may be disappointed if you fail, but you are doomed if you don't try

Sridhar Bhaskarla · ‎06-09-2003

Hi,

Compile this program and see if it works. I changed the structure to protected password structure and used bigcrypt.

#include
#include
#include
#include
#include

main(argc,argv)
int argc;
char *argv[];
{
char block[4],*p;
int edflag,flag;
struct pr_passwd *ptr;

p=(char *)getlogin();

/* find entry in passwd file */
ptr = getprpwnam(p);

/* build key */
block[0] = ptr->ufld.fd_encrypt[0];
block[1] = ptr->ufld.fd_encrypt[1];
block[2] = '\0';

/* create password */
p=bigcrypt(argv[1],block);

/* Compare created and entered passwords */
if((strcmp(p,ptr->ufld.fd_encrypt)) == 0)
{
printf("y");
/* Take out this print statement once you are satisfied */
printf("encrypt is %s",ptr->ufld.fd_encrypt);
printf("p is %s",p);
/*until here */
}
else printf("n");

}

-Sri

You may be disappointed if you fail, but you are doomed if you don't try

Sridhar Bhaskarla · ‎06-09-2003

Hi,

While driving home, I remembered couple of things -

Though the above program works, it will not work for ordinary users as they cannot access the protected database. To test it, login as an ordinary user and su to root and execute this program. Your getlogin will return the login name of the user su'ed to root. Use the password as the argument.

So, to fit to your needs, you may need to give it a setuid bit as root. It's dependent on your site policies.

Also, you will need to compile it with "-lsec" option in case if you do not know it.

Hope it helps.

-Sri

You may be disappointed if you fail, but you are doomed if you don't try

Bolek Mynarski · ‎06-10-2003

Hi Sri,

It compiles and it works almost the way it's supposed to. :-) Many, many thanks. The encrypted password, however that this program generate is not the same as the one I see in my /tcb database. I think it might have to do with the "sault".

You cannot imagine, however, how much I appreciate your revision to the original program.

As I mentioned, picking up C was on my "to-do" list so now would be the time to hit a book store!

It'snever too late to learn new things...

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Trusted system and password check

Trusted system and password check

Re: Trusted system and password check

Re: Trusted system and password check

Re: Trusted system and password check

Re: Trusted system and password check

Re: Trusted system and password check

Re: Trusted system and password check

Re: Trusted system and password check

Re: Trusted system and password check

Re: Trusted system and password check

Re: Trusted system and password check

Re: Trusted system and password check

Re: Trusted system and password check

Re: Trusted system and password check

Re: Trusted system and password check

Re: Trusted system and password check