Operating System - HP-UX
1827979 Members
2425 Online
109973 Solutions
New Discussion

Re: login() password problems

 
SOLVED
Go to solution
David Bonham_1
Advisor

login() password problems

I've got my HP 11i box authenticating users against Active Directory using Kerberos. No problems except when someone uses an at symbol ( @ ) in their password. login refuses to allow them on the system. It just acts as if a wrong password was entered.

So, I turned off Kerberos authentication and created a user in /etc/passwd (via sam) and changed the users password to contain an @ symbol. I still couldn't login until I changed the users password and removed the at symbol. su works just find with the at symbol in the password.

Does anyone know of a patch for login, or am I just stuck telling users they can't use the @ symbol in their passwords. Usually only the geeks do anyway.

Thanks
>/dev/null
12 REPLIES 12
Steven E. Protter
Exalted Contributor

Re: login() password problems

This is probably an OS hiccup. The OS doesn't like passwords with special characters.

Since supposedly you are using Kerobos, the rules that SHOULD apply are those rules, which I don't know.

Fast practical solution is the one you proposed. Tell the users no funy characters. We don't need no stinking special characters anyway. Right? Forgive my humor.

The only thing I don't like is this may be the symptom of other problems. I'd see if that Kerobos implementation is working properly.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Mel Burslan
Honored Contributor

Re: login() password problems

in my experience @ character in either login name or password means erase whatever I typed so far and start from scratch. This is especially a useful feature when you know that you made a typo in password or username and you know that backspace will not work as backspace you know while typing your username and password. Especially if you are at your last chance to type the correct password before the trusted system locks you out until the sysadmin or the help desk comes to work.

Example
Let's assume your username is "typesbad" and password is "fatfingr"

Login: typesbad
Password: fatfib@fatding@fatfingr (although hidden let's assume this is what you typed)

this combination will log you in.

If you did not have the misfortune of vorking with Virtual Vault which locks you real good after 3 hard tries, you can not imagine what a god sent character is that @ sign. It may be something related to the login process and can be changed but even if this is the case I do not know how.

Hope this helps clear why.
________________________________
UNIX because I majored in cryptology...
Kiran Kumar M
Advisor

Re: login() password problems

This is not a problem with Kerberos, you can use @ in your password. It's more a login issue, as Mel pointed out.

Try escaping the '@' with a '\' this should work. You could also set the erase to someother character in your .profile, that way you can still use '@' in your password, without the need for it to be escaped with '\'
Sundar_7
Honored Contributor

Re: login() password problems

the problem here is that @ symbol is interpreted as a special control character by the terminal.

# stty -a < /dev/ttyconf

Try this and see if "kill" is assigned to @ symbol.

If yes then change this to something else

# stty kill ^X < /dev/ttyconf > /dev/ttyconf.

Try now. Alternative way is to include a backslash before the @ symbol to "escape" the special character

If the user password is user@123 then enter the password as user\@123.
Learn What to do ,How to do and more importantly When to do ?
Bharat Katkar
Honored Contributor

Re: login() password problems

Hi there,
I would rather suggest not to use @ sign because it has some other purpose to serve.
In case you write a wrong user name or password by mistake and instead for waiting for the another login prompt you can correct you mistakes by typing @ and then writing the loginname or password again.

for e.g. i am logging as root and typed t twice in end still i am able to correct my self using @ sign and then by typing root correctly i still can proceed with login. @ will nullify the previous characters.

login:roott@root
password:

#

Other workaorund is already suggested that is by using Escape character.

Hope this helps.
Regards,
You need to know a lot to actually know how little you know
David Bonham_1
Advisor

Re: login() password problems

Thank you all for your comments. Now that I see the purpose of the @ sign I will tell users to avoid it. I might also just enable SIS (secure internet services) to avoid the logon prompt altogher.

Also of note is that you can't use a # sign in your password either.

Thanks again.

>/dev/null
Rodney Hills
Honored Contributor
Solution

Re: login() password problems

"#" is the backspace key.

As mentioned above, a simple fix is to use "stty kill ^u erase ^h
HTH

-- Rod Hills
There be dragons...
David Bonham_1
Advisor

Re: login() password problems

Thanks Ron.

man stty gave me more enlightenment regarding this. I will probably change it then! THANKS!


# stty -a < /dev/ttyconf
min = 4; time = 0;
intr = DEL; quit = ^\; erase = #; kill = @
eof = ^D; eol = ^@; eol2 ; swtch
stop = ^S; start = ^Q; susp ; dsusp
werase ; lnext



>/dev/null
Bill Hassell
Honored Contributor

Re: login() password problems

While stty will fix the problem AFTER you login, you must use the ttyconf device file to preset all tty devices so that login works the same way. The default for login is to use the driver defaults and # is a backspace, and @ is a line-kill. There are a couple of ways to solve this:

- Tell users that they are authenticating across many different platforms and each one has it's own rules about passwords, filenames, directory names, etc. As a result, they must choose from the lowest common denominator for password rules. One system may accept # and @ but another may not. Or one system likes spaces and punctuation but another does not. One system can handle \{}[]*#? in filenames but another either cannot handle them or must escape them. Since this is so easy to rememeber, just summarize all the rules for all the systems and the users will be happy.

- Or tell the users to use alphanumerics only.

- For HP-UX, you can enable # and @ (using ttyconf) characters but users will probably get confused when they try to copy a file with # in it.


Bill Hassell, sysadmin
David Bonham_1
Advisor

Re: login() password problems

I got it! Thank you, especially Sundar!

The correct syntax was:

stty erase ^H < /dev/ttyconf
stty intr ^C < /dev/ttyconf

Perfect! Now I can use both @ and # in passwords. Thanks!
Gord Moore
Frequent Advisor

Re: login() password problems

So, would this be a list of special characters
that users should NOT include in passwords:
# because it means kill
@ because it means interupt
& because it means erase line
\ because it means "escape"

Any others?
Bill Hassell
Honored Contributor

Re: login() password problems

The list of special characters for login is defined by the driver defaults. These default values are listed in the man page termio (close to line 300: Special Characters

The termio list is lengthy but the most common are # (erase previous character) and @ (cancel current line). & is not defined as anything special and does not erase the line. \ is not special either. It means escape the next character but only to a shell (unless ICANON was set with /dev/ttyconf). Remember that login has nothing to do with a shell prompt. login and password occur completely outside the environment setup in a shell...or more accurately, the shell sets up it's own environment after login with /etc/profile where stty is used to change the driver defaults.

As mentioned, the special device file /dev/ttyconf was created to allow changing the driver defaults before login. As to which characters to avoid, you have to decide whether to reassign the defaults. If so, then # and @ are fine to use...unless of course you are using passwords across many different operating systems. You must check with each one as to reserved characters.

Once logged on, special characters are now defined by the shell and may be different for different shells and of course, the user may change these in a local .profile or simply use the stty command. Again, all the shell features occur long after login/password have been handled.


Bill Hassell, sysadmin