|
UNIX Hints & Hacks |
 |
||||||||||||||||||||||||||||||||||||
|
Chapter 5: Account Management |
|
||||||||||||||||||||||||||||||||||||
|
You all know about good and bad passwords by now, but there are good ways and bad ways to use the password field in the password file.
Flavors: AT&T, BSD
The DES-encrypted password can be manipulated in various ways. The fields can be duplicated, deleted, or even disabled. You can use a graphical user interface (GUI), a program, or even the vipw command. If it comes to altering the password file to this extent, most UNIX administrators choose to do it manually with the vipw command. While in the password file, there are three things that can be done to the password field:
Clear the password field --There are times when a user forgets his password and doesn't want you to know his new password. If he attempts to change his password on his own, he sometimes is continually prompted for his forgotten password. When this happens, clear the password field using a single space. When using vipw to clear the this field, never use the Delete Word ( dw) command within the editor. Always use the x command to delete characters in the field. Because the field is made up of alphabetic, numeric, and metacharacters, deleting the word might not get the entire field and only part of the field. It is best to hit x thirteen times or 13x. Write out the file and have the user change his password while you monitor the password file for the change.
Disabling An Account --Many administrators simply place an asterisk at the beginning of the encrypted field. To disable the file temporarily if they know a user will return at a later date and not have to reset the password later. The safest way to disable an account from the password file is to completely replace the encrypted string with an asterisk.
axjones:*FC6XUtvRxVcWU:7272:20:Al Jones:/home/al:/bin/csh axjones:*:7272:20:Al Jones:/home/al:/bin/csh
Flavors: AT&T, BSD
Many flavors are now adopting the shadow technique to conceal the password encryption string. It forces potential intruders and hackers to attempt the brute force method of cracking passwords on a system rather than running cracking routines on the encrypted strings. With an /etc/shadow file, there are nine fields. The most common fields that you deal with are the user account name and the encrypted password string for that account, the rest can be handled by the system.
username:password:lastchg:min:max:warn:inactive:expire:flag
Because these fields aren't widely known, it is easy to figure out what their function is.
The encrypted password string in the original /etc/passwd file displays an x in all the password fields of every account; this can have the appearance of being disabled, but in fact these accounts are using shadow passwords.
axjones:x:7272:20:Al Jones:/home/axjones:/bin/csh toddh:x:7273:20:Todd Howardson:/home/toddh:/bin/sh
All modifications to the encrypted password string are then handled from the /etc/shadow file instead of the /etc/password file. The password field in this file should be treated as if it were the same encrypted password field as in the /etc/passwd file. To disable an account place an asterisk in the encrypted password field of the /etc/shadow file. Sometimes, instead of the asterisk you might see the letters NP--this is another way some disable an account--which stand for No Password . If this feature is available on your flavor, you should take every step to implement this feature.
axjones:NP:6445:::::: toddh:93RttkSgw18KA:9441::::::
Some client/server-based applications don't work with this feature turned on. The application server performs a lookup of the user account and password with the client application from the /etc/passwd file. If the encrypted password string is not visible, the server-side application cannot process the request to the client. Check all your applications that are running on your system to see whether you might be affected by this process before making the switch to shadow passwords.
The password field is the main target for many intruders attempting to hack a system. It needs to be well guarded and controlled. Shadow files help protect the visible password file.
Some beginning and intermediate system administrators have been caught off guard by seeing every password field in the /etc/passwd file having an x in it. They've gone on to believe that all the entries were disabled for some reason. Some have gone as far as attempting to restore the password file from backups only to always find the same file containing the same entries.
In many organizations, users are constantly being added on a daily basis to systems. They often are provided with temporary passwords and given instructions on how to change the password to something else. If your system does not force the issue of changing passwords the first time the users log in to a system, you need to be sure that you can verify that the users have actually changed their passwords. If you run any of the password-cracking programs that are available on the Internet, add the temporary password you select for users to the dictionary that the password-cracking program uses to check against. You will soon find that many users never get around to changing their password. Remember, never use the user's name in any part of the password.
Man pages:
passwd, shadow, vipw
World Wide Web:
Crack--ftp://ftp.cert.org/pub/tools/crack
AntiCrack--http://www.teu.ac.jp/siit/~tominaga/anticrack/
|
UNIX Hints & Hacks |
|
||||||||||||||||||||||||||||||||||||
|
Chapter 5: Account Management |
|
||||||||||||||||||||||||||||||||||||
|
© Copyright Macmillan USA. All rights reserved.