Operating System - HP-UX
1834038 Members
2719 Online
110063 Solutions
New Discussion

Trusted system and password check

 
SOLVED
Go to solution
Bolek Mynarski
Frequent Advisor

Trusted system and password check

Hello everyone,

I am in the process of conversion to "Trusted mode" of all our systems. In the process, we came across a system which uses an application that needs to verify that the logged in user is really who s/he is by re-authenticating him/her.

It's done by a simple C program which was written by somebody back in 1997. It simply encrypts a password passed by the user and checks it aginst the encyrpted password entry in the password file (running in "non trusted" mode).

I cannot code in C (although it is on my to-do list to start learning it) and of course, I am going out on a limb here posting this piece of code to the group in hope that maybe there is a simple solution that can be used to modify it. Here it is:

#include
#include
#include
#include


main(argc,argv)
int argc;
char *argv[];
{
char block[4],*p;
int edflag,flag;
struct passwd *ptr;

p=(char *)getlogin();

/* find entry in passwd file */
ptr = getpwnam(p);


/* build key */
block[0] = ptr->pw_passwd[0];
block[1] = ptr->pw_passwd[1];
block[2] = '\0';

/* create password */
p=crypt(argv[1],block);

/* Compare created and entered passwords */
if((strcmp(p,ptr->pw_passwd)) == 0)
printf("y");
else printf("n");

}

I can write (very efficiently) shell scripts or I can use PERL if needed. However, if the above code could be easily adjusted to be used in a trusted mode, that would be the most preferable solution.

Is there an easy way to "fix" it? If the solution can be provided, I will be enormously grateful. However, if a nudge in the right direction is given to solve this, I would be thankful too.

Any comments would be greatly appreciated.

Thanks.
It'snever too late to learn new things...
15 REPLIES 15
Massimo Bianchi
Honored Contributor

Re: Trusted system and password check

Hi,
like you i'm totally ignorant in C, but doing a man getpwnam it looks like the argument returned is a pointer to a password, so it may already work.

Did you try the piece of sortware, recompiled on a trusted server ?

All these call look like standard call, not custom, so they should work.

HTH,
Massimo
Massimo Bianchi
Honored Contributor

Re: Trusted system and password check

Hi, check also this:

SECURITY FEATURES
If the system has been converted to a trusted system, the password,
audit ID, and audit flag are not returned. The password will be the
default * that is in /etc/passwd and the audit ID and audit flag will
be set to -1. On trusted systems, if it is not necessary to obtain
information from the regular password file, /etc/passwd, users should
use getprpwent() to access the protected password database. See
getprpwent(3) and getspwent(3X).

putpwent() affects only /etc/passwd; the audit ID and audit flag in
the password structure are ignored. putprpwnam() must be used to
modify the protected password databse entries. See getprpwent(3).


always from "man getpwnam"

Massimo
Donny Jekels
Respected Contributor

Re: Trusted system and password check

#include

only knows how to read the /etc/passwd file.

find a handle that can read the file in the tcb direcotry.

will check and get back to you later in the day.
"Vision, is the art of seeing the invisible"
Darren Prior
Honored Contributor

Re: Trusted system and password check

In addition to Massimo's info, I believe that you will need to use bigcrypt(3c) rather than crypt(3c) to encrypt the plaintext.

regards,

Darren.
Calm down. It's only ones and zeros...
Bolek Mynarski
Frequent Advisor

Re: Trusted system and password check

O.K. thanks to the previous respondents, getprpwent would be responsible for getting a password from trusted database.

Looking at the man page, it refers to three other C headers:
#include
#include
#include

I assume that they are supposed to be included in the srouce so one can call the password from tcb database.

Would anybody provide a "functional" example how to do this?

Thanks.
It'snever too late to learn new things...
Michael Steele_2
Honored Contributor

Re: Trusted system and password check

The author of the 'C' program is using a link list as you would use an array to test two variables in a script, so for:

if((strcmp(p,ptr->pw_passwd)) == 0)

... you would read as..

if (( strcmp( ARRAY[0], ARRAY[1] )) == 0)

-or-

if (( strcmp( var1, var2 )) == 0)

...where the comma ',' is the delimiter and '0' is the return value of a successful or positive test. Non-zero is a failed test.

http://www.rt.com/man/strcmp.3.html

He also captures the entered password using this line:

main(argc,argv)

Where 'argc' returns the number of parameters on the command line and 'argv' returns the values of the parameters. arg[0] is the program name, arg[1] is the password:

http://www.ese-metz.fr/metz/recherche_et_developpement/parcel/manuel/node125.html

http://www.basis-canada.com/onlinedocs/documentation/commands/argv_function.htm

Check within /etc/profile to see where this program is being called and substitute it with your perl script. Use 'set -xv' in /etc/profile to debug. (* The default /etc/profile can be found in /usr/newconfig/etc/profile *)
Support Fatherhood - Stop Family Law
Sridhar Bhaskarla
Honored Contributor

Re: Trusted system and password check

Hi,

I can suggest a solution using a shell script to achieve what you are trying to do.

You can generate the encrypted password using the command "/usr/lib/makekey". Use the first two letters of the encrypted password as salt. For ex.,

Encrypted password for the password "Pass1234" in /tcb/files/auth/user is "oK3.ZEnf.GJZc". Here "oK" is the salt. If you run

echo "Pass1234oK" |/usr/lib/makekey

You should get oK3.ZEnf.GJZc. So your scripts would be

1. Ask the user to prompt the password
2. Get the encrypted password from /tcb/files/auth/firstletter_of_the_user/user
3. Run makekey on the user's password (in 1) with salt as the first two letters of the encrypted password (in 2)
4. Compare the result (in 3) with the encrypted password (in 2)

Look at man makekey for more details.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
Bolek Mynarski
Frequent Advisor

Re: Trusted system and password check

Hi Sridhar,

I almost thought I had a solution. It seems that this would work for "non-trusted" systems. That's great! However, in a trusted environment it seems that the encrypted password string is much longer than the one makekey generates. It's too bad because I was so excited to just re-write that c code in shell.

It's getting warm, though. Thanks.
It'snever too late to learn new things...
Sridhar Bhaskarla
Honored Contributor

Re: Trusted system and password check

Hi,

No. It works. The example I gave is from the trusted system only.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
Darren Prior
Honored Contributor

Re: Trusted system and password check

I think that's because makekey uses crypt - whereas for trusted systems you need to use bigcrypt.

regards,

Darren.
Calm down. It's only ones and zeros...
Bolek Mynarski
Frequent Advisor

Re: Trusted system and password check

Hi Sridhar,

makekey works for me if the system is not trusted. However, in a trusted system the key generated is too short. For example, I have a password which is encrypted to:

1zx90gShZ8tVksYtZhGnik9c

In this case, it's password1_

I run echo "password1_1z" | /usr/lib/makekey, I am getting:

1_rYl2/nnZcvo

which is quite a different string from the one above. Again, it works for me if the system is not trusted....

The system I'm on is HP-UX 11.00.
It'snever too late to learn new things...
Sridhar Bhaskarla
Honored Contributor

Re: Trusted system and password check

Hi,

I need to back out a bit. The first 8 chars are only significant and the later two are used as salt. In your example,

you will need to use

echo "password1z" |/usr/lib/makekey

1zx90gShZ8tVk

The first 13 chars of the encrypted password.

Yes I agree if the two users have password1 and password2 respectively, then you cannot find it out.

bigcrypt may be the solution but I still have to play with it.

-Sri

You may be disappointed if you fail, but you are doomed if you don't try
Sridhar Bhaskarla
Honored Contributor

Re: Trusted system and password check

Hi,

Compile this program and see if it works. I changed the structure to protected password structure and used bigcrypt.

#include
#include
#include
#include
#include


main(argc,argv)
int argc;
char *argv[];
{
char block[4],*p;
int edflag,flag;
struct pr_passwd *ptr;

p=(char *)getlogin();

/* find entry in passwd file */
ptr = getprpwnam(p);


/* build key */
block[0] = ptr->ufld.fd_encrypt[0];
block[1] = ptr->ufld.fd_encrypt[1];
block[2] = '\0';

/* create password */
p=bigcrypt(argv[1],block);


/* Compare created and entered passwords */
if((strcmp(p,ptr->ufld.fd_encrypt)) == 0)
{
printf("y");
/* Take out this print statement once you are satisfied */
printf("encrypt is %s",ptr->ufld.fd_encrypt);
printf("p is %s",p);
/*until here */
}
else printf("n");

}


-Sri
You may be disappointed if you fail, but you are doomed if you don't try
Sridhar Bhaskarla
Honored Contributor
Solution

Re: Trusted system and password check

Hi,

While driving home, I remembered couple of things -

Though the above program works, it will not work for ordinary users as they cannot access the protected database. To test it, login as an ordinary user and su to root and execute this program. Your getlogin will return the login name of the user su'ed to root. Use the password as the argument.

So, to fit to your needs, you may need to give it a setuid bit as root. It's dependent on your site policies.

Also, you will need to compile it with "-lsec" option in case if you do not know it.

Hope it helps.

-Sri





You may be disappointed if you fail, but you are doomed if you don't try
Bolek Mynarski
Frequent Advisor

Re: Trusted system and password check

Hi Sri,

It compiles and it works almost the way it's supposed to. :-) Many, many thanks. The encrypted password, however that this program generate is not the same as the one I see in my /tcb database. I think it might have to do with the "sault".

You cannot imagine, however, how much I appreciate your revision to the original program.

As I mentioned, picking up C was on my "to-do" list so now would be the time to hit a book store!
It'snever too late to learn new things...