- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Check for a blank root password - hpux 11.31
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-21-2012 04:54 AM
02-21-2012 04:54 AM
If a slack/careless administrator manages to set the root password to nothing/blank on an hpux 11.31 server is there a way to check this has happened? Even better would be a way to stop this happening (at the server level - though HP support have said this is not possible).
The /etc/shadow shows an encrypted password string for a blank password.
Solved! Go to Solution.
- Tags:
- Password
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-21-2012 07:21 AM
02-21-2012 07:21 AM
SolutionFor a regular user, it would be possible to enforce a minimum password length; but for root, I think all such limitations only cause an extra warning to be displayed, but allow a short password to be set if root insists on it. This is because root has the ability to change or override all restrictions anyway: root could just as easily disable the length requirement, set the password to blank, then re-enable it.
Some login methods can be configured to disallow empty passwords on principle. SSH does so by default: unless /opt/ssh/etc/sshd_config includes an explicit "PermitEmptyPassword yes", all SSH login attempts with an empty password will be rejected, no matter what the user's password currently is.
It would certainly be possible to write a PAM module that disallows authentication if the password is blank. (For comparision, modern Linux PAM libraries behave this way by default, and require an explicit "nullok" option to allow logins with a null password to succeed.)
Checking for null root password is easy: attempt to login as root with a null password. If login is successful, you know the root password has been set to blank.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-21-2012 12:05 PM
02-21-2012 12:05 PM
Re: Check for a blank root password - hpux 11.31
Actually, there is a very useful (but overlooked) utility for checking logins, and it is called logins. :-)
logins -p (show all user IDs with no password)
logins -d (show all duplicate user IDs)
It always returns zero so for scripting, you'll have to check for any output.
Bill Hassell, sysadmin
- Tags:
- logins
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-21-2012 04:08 PM - edited 02-22-2012 05:09 AM
02-21-2012 04:08 PM - edited 02-22-2012 05:09 AM
Re: Check for a blank root password - hpux 11.31
I very much doubt "logins -p" performs a brute force attack to detect if an hashed password is a blank-equivalent. Most likely it just checks whether the password field in the appropriate file is empty or not.
(Edit: I tested with HP-UX 11.23 and 11.31 with shadow password support enabled. Even if you set a blank password with the "passwd" command, it will produce a hashed password string and thus it won't be detected by "logins -p". The "logins -p" will only list the users that have no password hash in the /etc/shadow file, just as I expected.)
But the original poster indicated this case won't benefit from a simple check like that:
> The /etc/shadow shows an encrypted password string for a blank password.
For example, if the system still uses the traditional crypt() for password hashes, all these (and more) hashes would be equivalent to just pressing Enter at the password prompt:
WK.y3g52YDwQs
DqOj9YVm9uHQI
rE2DZJ63upqXw
Tools like "logins -p" can only detect the non-existence of a password hash in the passwd/shadow file: detecting that an existing password hash is equivalent to a blank password is not implemented.
For example, if you use a separate program to generate a blank-equivalent password hash, and then install the already-encrypted hash with "usermod -p", you'll get a blank password that is not immediately detectable as one.
If you suspect that blank-equivalent or otherwise bad passwords are in use, "John the Ripper" is an useful tool for checking large numbers of password hashes quickly. See: http://www.openwall.com/john/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-22-2012 02:21 AM
02-22-2012 02:21 AM
Re: Check for a blank root password - hpux 11.31
Thanks guys.
logins -p no use for the reason specified. Also, the PermitEmptyPassword=no is ignored when using PAM.
Running john down a number of passwd files of (usually) 'safe' passwords just chews cpu so it's going to have to be a login script as suggested.
Appreciate the assistance.