My original question:
> I am looking for a tool like Crack or John (the ripper), which is
> able to run on C2 (enhanced security) prpasswd file, in order to ensure my
> users do not set easily guessable password.
> A passwd_wrapper tool for C2 would be nice too, in order to force people
> to use strong passwords only.
> Any hints?
Thanks to all the people who replied. I append below the solutions I
received, both for John/Crack and for the password wrapper. I haven't had
time to try all of them yet, but they all sound interesting.
Claudio Strizzolo
============================================================================
From: Ann Cantelow <cantelow_at_athena.csdco.com>
Hi. Here below is an old BugTraq post I saved, that includes a program
that can make a "crackable shadow file". Maybe it helps. I have not
used a crack program myself but I would expect most would have an option
to run against an alternate file.
Date: Tue, 9 Mar 1999 02:22:32 -0500
From: James Clement <clem7508_at_FREDONIA.EDU>
To: BUGTRAQ_at_netspace.org
Subject: Digital Unix 4 protected password database.
Greetings,
Due to the recent outpouring of DU buffer overflows I thought the
following might be of interest. With the Enhanced Security package
running, authentication info is stored in individual files according to
username. In this case /tcb/files/auth/r/root for root and so on. I am not
aware of any built in method for creating the equivalent of your everyday
unix /etc/shadow file. As a result it is probable that many DU systems
have not weeded out poor choices for passwords through the use of a
program such as Crack since each encrypt is stored in a separate file.
Though trivial once root is compromised, a would be attacker might
have an easy time obtaining passwords because of this "feature". The
program below outputs a crackable shadow file.
Regards,
James Clement
----dushad.c----
/*
Digital Unix 4.x get encrypts from protected password database(s).
Must be euid(0), compile with cc dushad.c -lsecurity -o dushad
Written by James Clement - clem7508_at_fredonia.edu
*/
#include <sys/types.h>
#include <sys/security.h>
#include <prot.h>
void main(){
struct pr_passwd *p;
set_auth_parameters();
while (p = getprpwent())
{
printf("%s:%s:%d:::\n", p->ufld.fd_name, p->ufld.fd_encrypt,
p->ufld.fd_uid);
}
}
===========================================================================
Solar Designer <solar_at_cannabis.dataforce.net> offered to add the support for
C2 into John. I sent him some more information about C2 and he should be
working on it at present. Thanks to him I discovered that John is actually
able to work on C2 passwords shorter than 16 chars, provided they are
formatted as in a "normal" Unix passwords database (I did the conversion
through the dushad tool above). Support for longer passwords will be added.
I hope Solar Designer will let the list know when this is available.
===========================================================================
From: "Gerardo Mendoza Polo (LCI)" <gmendoza_at_helios.lci.ulsa.mx>
Hi Claudio
I don't know any a password cracker that can work with enhanced
security databases, but I suggest you to create a file like the standard
/etc/password or /etc/shadow. I would do this with the help of edauth and
a shel script like this (check it before using)
for i in `cut -d: -f1 /etc/passwd`
do
pass=`/tcb/bin/edauth -g $i | grep u_pwd | cut -d: -f4|cut -d= -f2`
echo $i:$pass >>/tmp/shadow_like_file
done
After creating this file you can use a password cracker on it. But
check that the shadow_like_file is correct, because that script may
require changes.
===========================================================================
From: Spider.Boardman_at_Orb.Nashua.NH.US
http://www.ornl.gov/its/archives/mailing-lists/tru64-unix-managers/1999/07/
msg00050.html
===========================================================================
From: John P Speno <speno_at_isc.upenn.edu>
You can install your own password checker in C2. Take a look at the
d_pw_site_callout in your default profile.
===========================================================================
From: Larry Griffith <larry_at_cs.wsc.ma.edu>
Since all our user accounts are NIS-distributed, I simply wrote a
shell script to massage /var/yp/src/prpasswd into the format of
/etc/passwd and fed that into Crack. It works fine.
===========================================================================
In another message, Larry Griffith wrote:
I found that I had four shell scripts:
run_crack (this script converts the prpasswd file, then runs Crack
and e-mails any user found to have a weak password.)
run_crack_no_mail (same except the user doesn't get e-mail.)
splice_password (an auxiliary script used by the preceding two scripts)
stop_crack (stops a crack run initiated by either of the first two
scripts.)
I do not attach the scripts to this summary, but I believe Larry will
send them to you if you request them to him. Otherwise, contact me.
===========================================================================
From: John Losey <JOHLOS_at_HBSI.COM>
It seems as though I was in error when I mentioned the "Triviality Check"
feature of C2. While this would keep people from using passwords like "Cat"
or "Dog," the passwords that would survive triviality checks probably
wouldn't pass the definition of "strong passwords."
However, under C2, you can set up the users so that they could not have the
option to pick their own password. This might be one way to ensure that at
their next password change, they would end up with a strong password.
===========================================================================
From: Chris Caswell <chris_at_ncren.net>
Why not just set up the appropriate policies within Enhanced Security?
# man prpasswd
also, have a look at (if memory serves me) /tcb/bin/pwpolicy.
===========================================================================
Received on Mon Aug 09 1999 - 06:55:31 NZST