- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Trusted system and password check
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-09-2003 04:37 AM
06-09-2003 04:37 AM
I am in the process of conversion to "Trusted mode" of all our systems. In the process, we came across a system which uses an application that needs to verify that the logged in user is really who s/he is by re-authenticating him/her.
It's done by a simple C program which was written by somebody back in 1997. It simply encrypts a password passed by the user and checks it aginst the encyrpted password entry in the password file (running in "non trusted" mode).
I cannot code in C (although it is on my to-do list to start learning it) and of course, I am going out on a limb here posting this piece of code to the group in hope that maybe there is a simple solution that can be used to modify it. Here it is:
#include
#include
#include
#include
main(argc,argv)
int argc;
char *argv[];
{
char block[4],*p;
int edflag,flag;
struct passwd *ptr;
p=(char *)getlogin();
/* find entry in passwd file */
ptr = getpwnam(p);
/* build key */
block[0] = ptr->pw_passwd[0];
block[1] = ptr->pw_passwd[1];
block[2] = '\0';
/* create password */
p=crypt(argv[1],block);
/* Compare created and entered passwords */
if((strcmp(p,ptr->pw_passwd)) == 0)
printf("y");
else printf("n");
}
I can write (very efficiently) shell scripts or I can use PERL if needed. However, if the above code could be easily adjusted to be used in a trusted mode, that would be the most preferable solution.
Is there an easy way to "fix" it? If the solution can be provided, I will be enormously grateful. However, if a nudge in the right direction is given to solve this, I would be thankful too.
Any comments would be greatly appreciated.
Thanks.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-09-2003 04:58 AM
06-09-2003 04:58 AM
Re: Trusted system and password check
like you i'm totally ignorant in C, but doing a man getpwnam it looks like the argument returned is a pointer to a password, so it may already work.
Did you try the piece of sortware, recompiled on a trusted server ?
All these call look like standard call, not custom, so they should work.
HTH,
Massimo
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-09-2003 05:03 AM
06-09-2003 05:03 AM
Re: Trusted system and password check
SECURITY FEATURES
If the system has been converted to a trusted system, the password,
audit ID, and audit flag are not returned. The password will be the
default * that is in /etc/passwd and the audit ID and audit flag will
be set to -1. On trusted systems, if it is not necessary to obtain
information from the regular password file, /etc/passwd, users should
use getprpwent() to access the protected password database. See
getprpwent(3) and getspwent(3X).
putpwent() affects only /etc/passwd; the audit ID and audit flag in
the password structure are ignored. putprpwnam() must be used to
modify the protected password databse entries. See getprpwent(3).
always from "man getpwnam"
Massimo
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-09-2003 05:26 AM
06-09-2003 05:26 AM
Re: Trusted system and password check
only knows how to read the /etc/passwd file.
find a handle that can read the file in the tcb direcotry.
will check and get back to you later in the day.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-09-2003 05:28 AM
06-09-2003 05:28 AM
Re: Trusted system and password check
regards,
Darren.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-09-2003 05:57 AM
06-09-2003 05:57 AM
Re: Trusted system and password check
Looking at the man page, it refers to three other C headers:
#include
#include
#include
I assume that they are supposed to be included in the srouce so one can call the password from tcb database.
Would anybody provide a "functional" example how to do this?
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-09-2003 05:57 AM
06-09-2003 05:57 AM
Re: Trusted system and password check
if((strcmp(p,ptr->pw_passwd)) == 0)
... you would read as..
if (( strcmp( ARRAY[0], ARRAY[1] )) == 0)
-or-
if (( strcmp( var1, var2 )) == 0)
...where the comma ',' is the delimiter and '0' is the return value of a successful or positive test. Non-zero is a failed test.
http://www.rt.com/man/strcmp.3.html
He also captures the entered password using this line:
main(argc,argv)
Where 'argc' returns the number of parameters on the command line and 'argv' returns the values of the parameters. arg[0] is the program name, arg[1] is the password:
http://www.ese-metz.fr/metz/recherche_et_developpement/parcel/manuel/node125.html
http://www.basis-canada.com/onlinedocs/documentation/commands/argv_function.htm
Check within /etc/profile to see where this program is being called and substitute it with your perl script. Use 'set -xv' in /etc/profile to debug. (* The default /etc/profile can be found in /usr/newconfig/etc/profile *)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-09-2003 07:02 AM
06-09-2003 07:02 AM
Re: Trusted system and password check
I can suggest a solution using a shell script to achieve what you are trying to do.
You can generate the encrypted password using the command "/usr/lib/makekey". Use the first two letters of the encrypted password as salt. For ex.,
Encrypted password for the password "Pass1234" in /tcb/files/auth/user is "oK3.ZEnf.GJZc". Here "oK" is the salt. If you run
echo "Pass1234oK" |/usr/lib/makekey
You should get oK3.ZEnf.GJZc. So your scripts would be
1. Ask the user to prompt the password
2. Get the encrypted password from /tcb/files/auth/firstletter_of_the_user/user
3. Run makekey on the user's password (in 1) with salt as the first two letters of the encrypted password (in 2)
4. Compare the result (in 3) with the encrypted password (in 2)
Look at man makekey for more details.
-Sri
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-09-2003 08:09 AM
06-09-2003 08:09 AM
Re: Trusted system and password check
I almost thought I had a solution. It seems that this would work for "non-trusted" systems. That's great! However, in a trusted environment it seems that the encrypted password string is much longer than the one makekey generates. It's too bad because I was so excited to just re-write that c code in shell.
It's getting warm, though. Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-09-2003 08:22 AM
06-09-2003 08:22 AM
Re: Trusted system and password check
No. It works. The example I gave is from the trusted system only.
-Sri
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-09-2003 08:29 AM
06-09-2003 08:29 AM
Re: Trusted system and password check
regards,
Darren.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-09-2003 08:31 AM
06-09-2003 08:31 AM
Re: Trusted system and password check
makekey works for me if the system is not trusted. However, in a trusted system the key generated is too short. For example, I have a password which is encrypted to:
1zx90gShZ8tVksYtZhGnik9c
In this case, it's password1_
I run echo "password1_1z" | /usr/lib/makekey, I am getting:
1_rYl2/nnZcvo
which is quite a different string from the one above. Again, it works for me if the system is not trusted....
The system I'm on is HP-UX 11.00.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-09-2003 08:37 AM
06-09-2003 08:37 AM
Re: Trusted system and password check
I need to back out a bit. The first 8 chars are only significant and the later two are used as salt. In your example,
you will need to use
echo "password1z" |/usr/lib/makekey
1zx90gShZ8tVk
The first 13 chars of the encrypted password.
Yes I agree if the two users have password1 and password2 respectively, then you cannot find it out.
bigcrypt may be the solution but I still have to play with it.
-Sri
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-09-2003 03:59 PM
06-09-2003 03:59 PM
Re: Trusted system and password check
Compile this program and see if it works. I changed the structure to protected password structure and used bigcrypt.
#include
#include
#include
#include
#include
main(argc,argv)
int argc;
char *argv[];
{
char block[4],*p;
int edflag,flag;
struct pr_passwd *ptr;
p=(char *)getlogin();
/* find entry in passwd file */
ptr = getprpwnam(p);
/* build key */
block[0] = ptr->ufld.fd_encrypt[0];
block[1] = ptr->ufld.fd_encrypt[1];
block[2] = '\0';
/* create password */
p=bigcrypt(argv[1],block);
/* Compare created and entered passwords */
if((strcmp(p,ptr->ufld.fd_encrypt)) == 0)
{
printf("y");
/* Take out this print statement once you are satisfied */
printf("encrypt is %s",ptr->ufld.fd_encrypt);
printf("p is %s",p);
/*until here */
}
else printf("n");
}
-Sri
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-09-2003 04:38 PM
06-09-2003 04:38 PM
SolutionWhile driving home, I remembered couple of things -
Though the above program works, it will not work for ordinary users as they cannot access the protected database. To test it, login as an ordinary user and su to root and execute this program. Your getlogin will return the login name of the user su'ed to root. Use the password as the argument.
So, to fit to your needs, you may need to give it a setuid bit as root. It's dependent on your site policies.
Also, you will need to compile it with "-lsec" option in case if you do not know it.
Hope it helps.
-Sri
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-10-2003 04:01 AM
06-10-2003 04:01 AM
Re: Trusted system and password check
It compiles and it works almost the way it's supposed to. :-) Many, many thanks. The encrypted password, however that this program generate is not the same as the one I see in my /tcb database. I think it might have to do with the "sault".
You cannot imagine, however, how much I appreciate your revision to the original program.
As I mentioned, picking up C was on my "to-do" list so now would be the time to hit a book store!