Newsgroups: alt.security,comp.security.misc,comp.sys.sequent,comp.sys.dec,
comp.unix.misc,comp.unix.ultrix
Path: sparky!uunet!pipex!warwick!coventry!ccx009
From: ccx...@cch.coventry.ac.uk (Adam Bentley)
Subject: Shadow password file software for BSD 4.2
Message-ID: <Bu9ILz.4Fy@cck.coventry.ac.uk>
Followup-To: poster
Keywords: shadow password file, sequent, dec, 4.2 BSD
Sender: n...@cck.coventry.ac.uk (news user)
Nntp-Posting-Host: cc_sysh
Organization: Coventry University
Date: Tue, 8 Sep 1992 13:53:59 GMT
Lines: 17
Does anyone know of a shadow password file package for 4.2 BSD based systems,
specifically, Sequent Dynix and also DEC Ultrix.
I've got John F. Haugh II's package but its way off being ready to go
especially on an old 4.2 unix without things like password aging.
Any help appreciated, I've got to get this sorted as soon as possible,
as usual!
I will post a summary to comp.unix.misc if there is enough interest..
thanks...
--
_
/-\dam
FLESH: Adam Bentley (Fraggle), Systems/Networking, Coventry University. UK
Path: sparky!uunet!cs.utexas.edu!chinacat!rpp386!jfh
From: j...@rpp386.lonestar.org (John F. Haugh II)
Newsgroups: comp.security.misc
Subject: Re: Shadow password file software for BSD 4.2
Message-ID: <21478@rpp386.lonestar.org>
Date: 8 Sep 92 23:42:43 GMT
References: <Bu9ILz.4Fy@cck.coventry.ac.uk>
Reply-To: j...@rpp386.cactus.org (John F. Haugh II)
Organization: River Parishes Programming, Austin, Republic of Texas
Lines: 15
In article <Bu9ILz....@cck.coventry.ac.uk> ccx...@cch.coventry.ac.uk (Adam Bentley)
writes:
>I've got John F. Haugh II's package but its way off being ready to go
>especially on an old 4.2 unix without things like password aging.
You can just turn aging off when you build Shadow. If there are other
problems, please report them to me as bugs and I'll get them fixed.
Actually, a better person to get ahold of is Steve Simmons. He did a
significant amount of work in that area. I don't know where he is
hiding these days ...
--
John F. Haugh II | "The US Government has the Midas Muffler
Ma Bell: (512) 251-2151 | touch: everything they touch turns to
UUCP: ...!cs.utexas.edu!rpp386!jfh | shit."
Domain: j...@rpp386.cactus.org | -- Jay Maynard
Newsgroups: comp.security.misc
Path: sparky!uunet!mcsun!Germany.EU.net!news.netmbx.de!zrz.tu-berlin.de!
math.fu-berlin.de!fub!obh.in-berlin.de!ob
From: o...@obh.in-berlin.de (Oliver Brandmueller)
Subject: Re: Shadow password file software for BSD 4.2
Message-ID: <SOU6VZB@obh.in-berlin.de>
Organization: obh - private bbs in Berlin/Germany
References: <Bu9ILz.4Fy@cck.coventry.ac.uk> <21478@rpp386.lonestar.org>
Date: Wed, 9 Sep 92 11:51:44 GMT
Lines: 26
Hi,
j...@rpp386.lonestar.org (John F. Haugh II) writes:
[...]
>Actually, a better person to get ahold of is Steve Simmons. He did a
>significant amount of work in that area. I don't know where he is
>hiding these days ...
Steve Simmons s...@iti.org
Steve Simmons s...@lokkur.dexter.mi.us
Steve Simmons ssimm...@convex.com
Steve Simmons Steve_Simm...@a68k.denver.CO.US
Don't know, which one you mean, or if he's in that list. These are all
People with "Steve Simmons" in their realname field writing in the news
I get these days.
Hope that helps.
Bye, Olli
--
| Oliver Brandmueller | Detmolder Str. 64 | 1000 Berlin 31 | Germany - (FRG) |
| o...@obh.in-berlin.de | V +49 30 853 6980 | Cityruf 315 30 68 30 (numerisch) |
| "Ich werde Millionaer, heirate Jodie Foster und nehme mir eine Nymphomanin |
| als Putzfrau. Dann habe ich alles erreicht." - ob@school |
Newsgroups: comp.security.misc
Path: sparky!uunet!hela.iti.org!lokkur!scs
From: s...@lokkur.dexter.mi.us (Steve Simmons)
Subject: Re: Shadow password file software for BSD 4.2
Message-ID: <1992Sep9.230317.14594@lokkur.dexter.mi.us>
Organization: Inland Sea
References: <Bu9ILz.4Fy@cck.coventry.ac.uk> <21478@rpp386.lonestar.org>
<SOU6VZB@obh.in-berlin.de>
Date: Wed, 9 Sep 92 23:03:17 GMT
Lines: 20
o...@obh.in-berlin.de (Oliver Brandmueller) writes:
>j...@rpp386.lonestar.org (John F. Haugh II) writes:
>[...]
>>Actually, a better person to get ahold of is Steve Simmons. He did a
>>significant amount of work in that area. I don't know where he is
>>hiding these days ...
> Steve Simmons s...@iti.org
> Steve Simmons s...@lokkur.dexter.mi.us
These two are me.
> Steve Simmons ssimm...@convex.com
> Steve Simmons Steve_Simm...@a68k.denver.CO.US
And these two aren't.
--
"When Dexter's on the Internet, can Hell be far behind?"
-- Steve Simmons, s...@lokkur.dexter.mi.us
Newsgroups: comp.security.misc
Path: sparky!uunet!haven.umd.edu!darwin.sura.net!spool.mu.edu!nigel.msen.com!
hela.iti.org!lokkur!scs
From: s...@lokkur.dexter.mi.us (Steve Simmons)
Subject: Re: Shadow password file software for BSD 4.2
Message-ID: <1992Sep9.233954.14793@lokkur.dexter.mi.us>
Organization: Inland Sea
References: <Bu9ILz.4Fy@cck.coventry.ac.uk> <21478@rpp386.lonestar.org>
Date: Wed, 9 Sep 92 23:39:54 GMT
Lines: 105
j...@rpp386.lonestar.org (John F. Haugh II) writes:
>In article <Bu9ILz....@cck.coventry.ac.uk> ccx...@cch.coventry.ac.uk
(Adam Bentley) writes:
>>I've got John F. Haugh II's package but its way off being ready to go
>>especially on an old 4.2 unix without things like password aging.
>You can just turn aging off when you build Shadow. If there are other
>problems, please report them to me as bugs and I'll get them fixed.
>Actually, a better person to get ahold of is Steve Simmons. He did a
>significant amount of work in that area. I don't know where he is
>hiding these days ...
I'm still alive (buried alive?) and kicking.
Our (my) work on the BSD version of the shadow utilities went out the
door along with co-workers and support for such things in one of our
regular re-orgs at ITI. I have several versions of the code, one of
which ran under Ultrix 3.1 and another which ran under SunOS 4.0.3.
There was also some code for a Gould Powernode, but I believe that it
got merged into the Sun version. If there is interest I can make it
available for anon ftp.
The SunOS code and most of the Ultrix code consisted of an earlier
version of John's work, some freed BSD stuff, and a few odds and ends
I threw in. In particular we'd developed our own password aging
code as AT&T style was a bit less than we needed. There are also
patches to the Ultrix login source for 3.1.
There was one bit I'm proud of which John didn't pick up (I'm not
complaining; it was definitely "non-standard"). When converting to
shadow passwords, the new /etc/passwd file normally gets converted
to something like
scs:x:10:20:....
Instead, my version did
scs:WMMXAlZzpoIx4:10:20:....
where "WMMXAlZzpoIx4" was a randomly generated string. In addition,
the name of the shadow file was site-configurable. Thus it was not
possible for the cracker to easily determine if a given site used
shadows by simply examining the password file. One copy of our
password file with these junk strings drifted thru the cracker
community for a while, much to my amusement. Note that you should
change the random string when changing the password.
In the course of working on this, I learned several things. First,
John writes pretty decent code. Second, there are far too many
utilities which break when you put in shadow passwords. Pcnfsd, uucpd,
either rlogin or telnet -- just too damned many things. I patched
things right and left, and still didn't find them all. Screensavers
were a particular problem, as you either need to make them suid root or
give them up.
As a correlary to this, I thought a lot about a "password verifier",
some utility program which could be used to determine if a given
password was correct or not without having to actually expose the
password either in cleartext or by encrypted string. I came to the
conclusion there is no perfectly safe way, but you can make the window
very very tiny. You open a pipe, fork the program that wants to do the
verify, the child execs the verifier, then writes the password to the
verifier on the pipe. The child returns the verification by its exit
status. The password should never be placed in the environment, and
the instant it is no longer needed should be overwritten in the
buffers. Reasons are left as an exercise for the reader. :-) Note
that at that time I thought the Needham and Schroeder (sp?) algorithm
was patented or I would have used it to encrypt/decrypt the
communication.
A third complicating factor could be called "keeping up with the
vendors". DEC does some interesting and useful things in their logins,
and getting (buying) new copies of the Ultrix source to keep in sync
was simply not possible. I could probably have retrofitted, but the
management decision was to use the stock Ultrix stuff instead. C'est
la guerre.
Other interesting issues I recall --
o What should one do about expired passwords? Throw them from
login into passwd? Throw them out? How long should you let
them go?
o Should rsh work if the password is expired? Think carefully....
How about rcp?
o How long before expiration should you start warning users? How
do you make it site-configurable? Can you reconfigure it without
modifying login?
o Should account expiration be a separate issue from password
expiration (it was in our version)? What does that mean to rsh,
rlogin, rcp?
o You definately need some utilities to print the age and expiration
data in a human-readable fashion. Setting them in a human-readable
fashion is a good idea too.
Sigh. There were other things, but that's a off-the-top-of-the-head
list. Maybe someday I'll get a client willing to pay for this stuff.
Until then, folks are welcome to it.
--
"When Dexter's on the Internet, can Hell be far behind?"
-- Steve Simmons, s...@lokkur.dexter.mi.us