Re: [newbie] passwd
"N. Kofi Amu" wrote: Thank you Anthony for your response. I appreciated the need to repeat the password on the terminal or in the GUI. What I need is I have over twenty users to setup and I do have these users names in a database. All I need is to add their passwords and export them as Tab Deleminated files into the Linux/Unix user file using the READ command. The only thing I need to know is how to assign the PASSWD command in the script. I cannot repeat the command twice. How do I go about it in the script? Thanks. Anthony Huereca wrote: It's put in there twice to make sure you typed in your password right. It would be really bad if you accidently mistyped your password when you created it, and had no way of knowing it till you found out you couldn't log in. On the command line when you type PASSWD username it request for the password twice. How could I control that in my script. It there another way or some switch that will not let it ask for this the second time? Thank in advance and keep up to the good work. Kofi Amu Maru a Pula School Gaborone -- Anthony Huereca http://m3000.1wh.com Computers are not intelligent. They only think they are. The file /etc/passw contains a db about the useraccounts= 1 line pro user. Ex.: kofi:cNgghJeqhh:500:4:Kofi Amu:/home/kofi:/bin/bash If shadow is utilised see /etc/shadow. The standard interface of it: #include sys/types.h #include pwd.h struct passw *getpwuid (uid_t uid); struct passw *getpwnam (const char *name); (see header files for more dtails) Example to extract details from db of passwords attached. Eric -- FRANCE (Be careful, my English can hurt you) #include sys/types.h #include pwd.h #include stdio.h #include unistd.h int main() { uid_t uid; gid_t gid; struct passwd *pw; uid = getuid(); gid = getgid(); printf("User is %s\n", getlogin()); printf("User IDs: uid=%d, gid=%d\n", uid, gid); pw = getpwuid(uid); printf("UID passwd entry:\n name=%s, uid=%d, gid=%d, home=%s, shell=%s\n", pw-pw_name, pw-pw_uid, pw-pw_gid, pw-pw_dir, pw-pw_shell); pw = getpwnam("root"); printf("root passwd entry:\n"); printf("name=%s, uid=%d, gid=%d, home=%s, shell=%s\n", pw-pw_name, pw-pw_uid, pw-pw_gid, pw-pw_dir, pw-pw_shell); exit(0); }
Re: [newbie] passwd
It's put in there twice to make sure you typed in your password right. It would be really bad if you accidently mistyped your password when you created it, and had no way of knowing it till you found out you couldn't log in. On the command line when you type PASSWD username it request for the password twice. How could I control that in my script. It there another way or some switch that will not let it ask for this the second time? Thank in advance and keep up to the good work. Kofi Amu Maru a Pula School Gaborone -- Anthony Huereca http://m3000.1wh.com Computers are not intelligent. They only think they are.
Re: [newbie] PASSWD
[EMAIL PROTECTED] wrote: On 22 Sep, John Aldrich wrote: Well, you see, that's the beauty of MD5 hashes...it's not encryption, per se. :-) IIRC, MD5 creates a "fingerprint" of the password and then throws away the password. In the future, if someone wants to access something with an MD5 hashed password, the password is re-fingerprinted and compared to the existing hash. If it is a 100% match, then the person is allowed to go on. If it doesn't match 100% then it's rejected and the process starts all over again! :-) Right, so... does every system using MD5 have a different algorithm for computing the hash? Thus, my system gets different hashes for the same password? If not, then you could certainly use a dictionary of hashes to get his passwords. If so, then you can still use the brute force crack, assuming you can get ahold of the algorithm that is used to compute passwords. Right? You're forgetting the salt which is combined with the password to create the hash. Anyway, it's still bad practice to send passwords, even encrypted/hashcode through e-mail. Agreed. -- Steve Philp Network Administrator Advance Packaging Corporation [EMAIL PROTECTED]
Re: [newbie] PASSWD
On Thu, 23 Sep 1999, Steve Philp wrote: [EMAIL PROTECTED] wrote: On 22 Sep, John Aldrich wrote: Well, you see, that's the beauty of MD5 hashes...it's not encryption, per se. :-) IIRC, MD5 creates a "fingerprint" of the password and then throws away the password. In the future, if someone wants to access something with an MD5 hashed password, the password is re-fingerprinted and compared to the existing hash. If it is a 100% match, then the person is allowed to go on. If it doesn't match 100% then it's rejected and the process starts all over again! :-) Right, so... does every system using MD5 have a different algorithm for computing the hash? Thus, my system gets different hashes for the same password? If not, then you could certainly use a dictionary of hashes to get his passwords. If so, then you can still use the brute force crack, assuming you can get ahold of the algorithm that is used to compute passwords. Right? You're forgetting the salt which is combined with the password to create the hash. Yeah, there are 4096 Possible Salts in the UNIX system, so multiply that # of time needed by 4096 and you'll figure it all out. Anyway, it's still bad practice to send passwords, even encrypted/hashcode through e-mail. Agreed. Agreed, unless you GNU-PG or PGP it then its okay :) -- Steve Philp Network Administrator Advance Packaging Corporation [EMAIL PROTECTED]
Re: [newbie] PASSWD
On Thu, 23 Sep 1999, you wrote: Right, so... does every system using MD5 have a different algorithm for computing the hash? Thus, my system gets different hashes for the same password? If not, then you could certainly use a dictionary of hashes to get his passwords. If so, then you can still use the brute force crack, assuming you can get ahold of the algorithm that is used to compute passwords. Right? I think it's a LITTLE more complicated than that, but it's still pretty darn difficult to even THINK about cracking. After all it's a 128-bit "fingerprint." Here's part of the man page for md5sum: md5sum produces for each input file a 128-bit "fingerprint" or "message-digest" or it can check with the output of a former run whether the message digests are still the same (i.e. whether the files changed). Anyway, it's still bad practice to send passwords, even encrypted/hashcode through e-mail. Agreed. :-) My point was basically that, even with the "extra cpu time" out there it's going to be a LONG time before someone can crack a 128-bit hashcode. However, your point of someone being able to run a dictionary through md5sum and come up with a hash table for "known words" is a good argument for NOT using "dictionary words." ;-) John
Re: [newbie] PASSWD
On Tue, 21 Sep 1999, you wrote: I added a user called "test" with a password of "test" when I telnet into the server as user test, I can't change the password (to anything!!!) errors include: BAD PASSWORD: it is too short BAD PASSWORD: it is based on a dictionary word passwd: Authentication token manipulation error Passwd's should be no longer the 8 letters no shorter than 5, no dictionary words, so a passwd like PeT9^G is a valid passwd, and once logged in there is no reason why that passwd could not be used without getting errors, on the otherhand use richard and that will produce all of the above. Looking at the passwd line below, the system operator did not set a passwd for "test" to start with, which is a bad thing. /etc/passwd... test:x:501:510::/home/test:/bin/bash I want the user to be able to logon and change their password to anything they desire! What must I re-configure??? Help! Thanks. -- Regards Richard [EMAIL PROTECTED]
Re: [newbie] PASSWD
Richard Adams wrote: On Tue, 21 Sep 1999, you wrote: I added a user called "test" with a password of "test" when I telnet into the server as user test, I can't change the password (to anything!!!) errors include: BAD PASSWORD: it is too short BAD PASSWORD: it is based on a dictionary word passwd: Authentication token manipulation error Passwd's should be no longer the 8 letters no shorter than 5, no dictionary words, so a passwd like PeT9^G is a valid passwd, and once logged in there is no reason why that passwd could not be used without getting errors, on the otherhand use richard and that will produce all of the above. Looking at the passwd line below, the system operator did not set a passwd for "test" to start with, which is a bad thing. Not even true. That 'x' means one of two things: 1) The account is locked from login (no password has yet been set) 2) The sysadmin is using shadow passwords (in which case you need to look at /etc/shadow to see if there's a password set). /etc/passwd... test:x:501:510::/home/test:/bin/bash I want the user to be able to logon and change their password to anything they desire! What must I re-configure??? Help! Thanks. -- Regards Richard [EMAIL PROTECTED] -- Steve Philp Network Administrator Advance Packaging Corporation [EMAIL PROTECTED]
RE: [newbie] PASSWD
Is there a script I could use to allow users to have the same login characteristics as root, without giving users group access to root. Also, what would this script be written in? Stephen. -Original Message- From: Steve Philp [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 21, 1999 5:49 PM To: [EMAIL PROTECTED] Subject: Re: [newbie] PASSWD Bernhard Rosenkraenzer wrote: On Tue, 21 Sep 1999, Lambert, Stephen : CO IR wrote: when I telnet into the server as user test, I can't change the password (to anything!!!) errors include: BAD PASSWORD: it is too short BAD PASSWORD: it is based on a dictionary word passwd: Authentication token manipulation error It's not a bug, it's a feature - passwords shouldn't be short or based on dictionary words because those passwords are easy to guess, and because crackers will generally try dictionary words and short words first when they do brute force attacks. Change the password to something like r%q7@$a (Argh, now I've given away the root password of ms-windows-2000.com ;) ), and it'll work. Heh, and all this time I've been using 'crashy crashy'... :( -- Steve Philp Network Administrator Advance Packaging Corporation [EMAIL PROTECTED]
RE: [newbie] PASSWD
well, your are right about using shadow passwords! (default authentication settings during install) /etc/shadow root:$1$8H9lif10$fvhxrR2F45ZCabMfph7EA0:10854:0:9:7:-1:-1:134537896 test:$1$owwnI1m0$boC2hy9UBooW0ib4Pph0i.:10855:1:9:7:0::135223440 what do I change user test to? Stephen. -Original Message- From: Steve Philp [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 22, 1999 3:45 AM To: [EMAIL PROTECTED] Subject: Re: [newbie] PASSWD Richard Adams wrote: On Tue, 21 Sep 1999, you wrote: I added a user called "test" with a password of "test" when I telnet into the server as user test, I can't change the password (to anything!!!) errors include: BAD PASSWORD: it is too short BAD PASSWORD: it is based on a dictionary word passwd: Authentication token manipulation error Passwd's should be no longer the 8 letters no shorter than 5, no dictionary words, so a passwd like PeT9^G is a valid passwd, and once logged in there is no reason why that passwd could not be used without getting errors, on the otherhand use richard and that will produce all of the above. Looking at the passwd line below, the system operator did not set a passwd for "test" to start with, which is a bad thing. Not even true. That 'x' means one of two things: 1) The account is locked from login (no password has yet been set) 2) The sysadmin is using shadow passwords (in which case you need to look at /etc/shadow to see if there's a password set). /etc/passwd... test:x:501:510::/home/test:/bin/bash I want the user to be able to logon and change their password to anything they desire! What must I re-configure??? Help! Thanks. -- Regards Richard [EMAIL PROTECTED] -- Steve Philp Network Administrator Advance Packaging Corporation [EMAIL PROTECTED]
Re: [newbie] PASSWD
On Wed, 22 Sep 1999, you wrote: Richard Adams wrote: On Tue, 21 Sep 1999, you wrote: I added a user called "test" with a password of "test" when I telnet into the server as user test, I can't change the password (to anything!!!) errors include: BAD PASSWORD: it is too short BAD PASSWORD: it is based on a dictionary word passwd: Authentication token manipulation error Passwd's should be no longer the 8 letters no shorter than 5, no dictionary words, so a passwd like PeT9^G is a valid passwd, and once logged in there is no reason why that passwd could not be used without getting errors, on the otherhand use richard and that will produce all of the above. Looking at the passwd line below, the system operator did not set a passwd for "test" to start with, which is a bad thing. Not even true. That 'x' means one of two things: I beg to differ on item 1), when no shadow is used it will still show an x. which means the sysop did not set the passwd like the doco says. 1) The account is locked from login (no password has yet been set) 2) The sysadmin is using shadow passwords (in which case you need to look at /etc/shadow to see if there's a password set). /etc/passwd... test:x:501:510::/home/test:/bin/bash I want the user to be able to logon and change their password to anything they desire! What must I re-configure??? Help! Thanks. -- Regards Richard [EMAIL PROTECTED] -- Steve Philp Network Administrator Advance Packaging Corporation [EMAIL PROTECTED] -- Regards Richard [EMAIL PROTECTED]
RE: [newbie] PASSWD
I'd be changeing my passwords right now. kind defeats the purpose of shadow passwords if you sent it across a mailing list.. On Wed, 22 Sep 1999, Lambert, Stephen : CO IR wrote: well, your are right about using shadow passwords! (default authentication settings during install) /etc/shadow root:$1$8H9lif10$fvhxrR2F45ZCabMfph7EA0:10854:0:9:7:-1:-1:134537896 test:$1$owwnI1m0$boC2hy9UBooW0ib4Pph0i.:10855:1:9:7:0::135223440 what do I change user test to? Stephen. -Original Message- From: Steve Philp [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 22, 1999 3:45 AM To: [EMAIL PROTECTED] Subject: Re: [newbie] PASSWD Richard Adams wrote: On Tue, 21 Sep 1999, you wrote: I added a user called "test" with a password of "test" when I telnet into the server as user test, I can't change the password (to anything!!!) errors include: BAD PASSWORD: it is too short BAD PASSWORD: it is based on a dictionary word passwd: Authentication token manipulation error Passwd's should be no longer the 8 letters no shorter than 5, no dictionary words, so a passwd like PeT9^G is a valid passwd, and once logged in there is no reason why that passwd could not be used without getting errors, on the otherhand use richard and that will produce all of the above. Looking at the passwd line below, the system operator did not set a passwd for "test" to start with, which is a bad thing. Not even true. That 'x' means one of two things: 1) The account is locked from login (no password has yet been set) 2) The sysadmin is using shadow passwords (in which case you need to look at /etc/shadow to see if there's a password set). /etc/passwd... test:x:501:510::/home/test:/bin/bash I want the user to be able to logon and change their password to anything they desire! What must I re-configure??? Help! Thanks. -- Regards Richard [EMAIL PROTECTED] -- MandrakeSoft http://www.mandrakesoft.com/ --Axalon
RE: [newbie] PASSWD -SOLVED
i think i have seen the light... during the install, i opted for both the use of shadow passwords and enabled md5 passwords. btw, the server is only a internal dev box, but thanks... -Original Message- From: Axalon Bloodstone [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 22, 1999 10:56 AM To: '[EMAIL PROTECTED]' Subject: RE: [newbie] PASSWD I'd be changeing my passwords right now. kind defeats the purpose of shadow passwords if you sent it across a mailing list.. -Original Message- From: Steve Philp [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 22, 1999 3:45 AM To: [EMAIL PROTECTED] Subject: Re: [newbie] PASSWD Richard Adams wrote: On Tue, 21 Sep 1999, you wrote: I added a user called "test" with a password of "test" when I telnet into the server as user test, I can't change the password (to anything!!!) errors include: BAD PASSWORD: it is too short BAD PASSWORD: it is based on a dictionary word passwd: Authentication token manipulation error Passwd's should be no longer the 8 letters no shorter than 5, no dictionary words, so a passwd like PeT9^G is a valid passwd, and once logged in there is no reason why that passwd could not be used without getting errors, on the otherhand use richard and that will produce all of the above. Looking at the passwd line below, the system operator did not set a passwd for "test" to start with, which is a bad thing. Not even true. That 'x' means one of two things: 1) The account is locked from login (no password has yet been set) 2) The sysadmin is using shadow passwords (in which case you need to look at /etc/shadow to see if there's a password set). /etc/passwd... test:x:501:510::/home/test:/bin/bash I want the user to be able to logon and change their password to anything they desire! What must I re-configure??? Help! Thanks. -- Regards Richard [EMAIL PROTECTED] --
Re: [newbie] PASSWD
Axalon Bloodstone wrote: I'd be changeing my passwords right now. kind defeats the purpose of shadow passwords if you sent it across a mailing list.. It'd take years to decrypt that MD5 hash back to a usable password. That's sorta the point of using the MD5 over the normal crypting. On Wed, 22 Sep 1999, Lambert, Stephen : CO IR wrote: well, your are right about using shadow passwords! (default authentication settings during install) /etc/shadow root:$1$8H9lif10$fvhxrR2F45ZCabMfph7EA0:10854:0:9:7:-1:-1:134537896 test:$1$owwnI1m0$boC2hy9UBooW0ib4Pph0i.:10855:1:9:7:0::135223440 what do I change user test to? Stephen. -Original Message- From: Steve Philp [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 22, 1999 3:45 AM To: [EMAIL PROTECTED] Subject: Re: [newbie] PASSWD Richard Adams wrote: On Tue, 21 Sep 1999, you wrote: I added a user called "test" with a password of "test" when I telnet into the server as user test, I can't change the password (to anything!!!) errors include: BAD PASSWORD: it is too short BAD PASSWORD: it is based on a dictionary word passwd: Authentication token manipulation error Passwd's should be no longer the 8 letters no shorter than 5, no dictionary words, so a passwd like PeT9^G is a valid passwd, and once logged in there is no reason why that passwd could not be used without getting errors, on the otherhand use richard and that will produce all of the above. Looking at the passwd line below, the system operator did not set a passwd for "test" to start with, which is a bad thing. Not even true. That 'x' means one of two things: 1) The account is locked from login (no password has yet been set) 2) The sysadmin is using shadow passwords (in which case you need to look at /etc/shadow to see if there's a password set). /etc/passwd... test:x:501:510::/home/test:/bin/bash I want the user to be able to logon and change their password to anything they desire! What must I re-configure??? Help! Thanks. -- Regards Richard [EMAIL PROTECTED] -- MandrakeSoft http://www.mandrakesoft.com/ --Axalon -- Steve Philp Network Administrator Advance Packaging Corporation [EMAIL PROTECTED]
Re: [newbie] PASSWD
On Wed, 22 Sep 1999, Steve Philp wrote: Axalon Bloodstone wrote: I'd be changeing my passwords right now. kind defeats the purpose of shadow passwords if you sent it across a mailing list.. It'd take years to decrypt that MD5 hash back to a usable password. That's sorta the point of using the MD5 over the normal crypting. I've seen way to many specialty machines lately to trust any form of encryption. Just ask the boys n girsl over at the distributed.net or seti@home how much idle cpu there is out there, and our buddies up in redmont makeing wonderfull api that allows things like B.O. But as always the only secure pc is one disassembled and strewn about the planet in unmarked tombs... On Wed, 22 Sep 1999, Lambert, Stephen : CO IR wrote: well, your are right about using shadow passwords! (default authentication settings during install) /etc/shadow root:$1$8H9lif10$fvhxrR2F45ZCabMfph7EA0:10854:0:9:7:-1:-1:134537896 test:$1$owwnI1m0$boC2hy9UBooW0ib4Pph0i.:10855:1:9:7:0::135223440 what do I change user test to? Stephen.
Re: [newbie] PASSWD
On 22 Sep, John Aldrich wrote: Well, you see, that's the beauty of MD5 hashes...it's not encryption, per se. :-) IIRC, MD5 creates a "fingerprint" of the password and then throws away the password. In the future, if someone wants to access something with an MD5 hashed password, the password is re-fingerprinted and compared to the existing hash. If it is a 100% match, then the person is allowed to go on. If it doesn't match 100% then it's rejected and the process starts all over again! :-) Right, so... does every system using MD5 have a different algorithm for computing the hash? Thus, my system gets different hashes for the same password? If not, then you could certainly use a dictionary of hashes to get his passwords. If so, then you can still use the brute force crack, assuming you can get ahold of the algorithm that is used to compute passwords. Right? Anyway, it's still bad practice to send passwords, even encrypted/hashcode through e-mail. -Matt Stegman [EMAIL PROTECTED]
Re: [newbie] PASSWD
Bernhard Rosenkraenzer wrote: On Tue, 21 Sep 1999, Lambert, Stephen : CO IR wrote: when I telnet into the server as user test, I can't change the password (to anything!!!) errors include: BAD PASSWORD: it is too short BAD PASSWORD: it is based on a dictionary word passwd: Authentication token manipulation error It's not a bug, it's a feature - passwords shouldn't be short or based on dictionary words because those passwords are easy to guess, and because crackers will generally try dictionary words and short words first when they do brute force attacks. Change the password to something like r%q7@$a (Argh, now I've given away the root password of ms-windows-2000.com ;) ), and it'll work. Heh, and all this time I've been using 'crashy crashy'... :( -- Steve Philp Network Administrator Advance Packaging Corporation [EMAIL PROTECTED]