tiger-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Tiger-devel] [PATCH] updated password checks for Linux and HP-UX


From: rbradetich
Subject: [Tiger-devel] [PATCH] updated password checks for Linux and HP-UX
Date: Tue, 24 Jun 2003 13:15:36 -0600
User-agent: Mutt/1.5.3i

Hello all,

The attached patch does the following:

        * Add a duplicate user home directory check.
        * Add an acceptable cryptographic hash check.
        * Do not check for malformed password entries if PWCK is defined 
(redundant check)
        * Modify PWCK check to work with HP-UX's pwck. (HP-UX always returns 
with an error code 0)
        * Identify the password hashes in HP-UX (Trusted and un-trusted mode)
        * Identify passwords hases in Linux when not using shadow passwords.

This patch are built on top the patches I have already submitted to the debian 
bug tracking system.
If this is not convienent, let me know and I will re-diff against the source of 
your choice.

Also for administrative purposes, do you prefer lots of smaller patches, or 
larger patches that
focus on one area (i.e. passwords).

I am willing to do either :)

This patch has been tested on HP-UX 11.11, 11.00, 10.20, Debian Linux, and 
RedHat Linux.

Thanks and feedback/discussion welcome!

- Ryan


Index: tigerrc
===================================================================
RCS file: /usr/local/taracvs/tiger-3.2/tigerrc,v
retrieving revision 1.1.1.1
diff -u -p -r1.1.1.1 tigerrc
--- tigerrc     27 May 2003 23:13:52 -0000      1.1.1.1
+++ tigerrc     24 Jun 2003 16:04:52 -0000
@@ -112,6 +112,10 @@ Tiger_Global_PATH="/etc/profile /etc/csh
 # A simple space delimited list.
 Tiger_Passwd_Constraints="PASS_MIN_DAYS PASS_MAX_DAYS PASS_WARN_AGE 
PASS_MIN_LEN"
 #
+# Acceptable password hashes.
+# List of password hashes separated by '|'... no whitespaces
+Tiger_Passwd_Hashes='crypt3|md5'
+#
 # Number of days of non-modified files in the home directory for a user
 # to be considered dormant (setting = 0 disables this check)
 Tiger_Dormant_Limit=60
Index: doc/passwd.txt
===================================================================
RCS file: /usr/local/taracvs/tiger-3.2/doc/passwd.txt,v
retrieving revision 1.2
diff -u -p -r1.2 passwd.txt
--- doc/passwd.txt      13 Jun 2003 03:42:26 -0000      1.2
+++ doc/passwd.txt      24 Jun 2003 16:04:52 -0000
@@ -37,3 +37,10 @@ indicates a configuration problem and sh
 %pass011f
 The listed username has an empty password string.  This will allow any user
 to gain access to the account without being prompted for a password.
+%pass012w
+The listed home directory is specified for multiple users. This can lead to
+denial-of-service and unexpected resource usage (i.e. shell initialization
+files, etc) if not corrected.
+%pass013w
+The listed username is not using an acceptable, cryptographic method for the
+password hash. 
Index: scripts/check_passwd
===================================================================
RCS file: /usr/local/taracvs/tiger-3.2/scripts/check_passwd,v
retrieving revision 1.3
diff -u -p -r1.3 check_passwd
--- scripts/check_passwd        13 Jun 2003 03:42:26 -0000      1.3
+++ scripts/check_passwd        24 Jun 2003 16:04:52 -0000
@@ -111,10 +111,19 @@ do
     }
   done
 
-  $AWK -F: '$2 == "" {print $1}' $WORKDIR/p1uid.$$  |
-  while read username
+  $AWK -F: '{print $1,$2}' $WORKDIR/p1uid.$$ |
+  while read username passwd
   do
-    message FAIL pass011f "" "Username \`$username' has an empty password 
field."
+    eval "case \"$passwd\" in
+      \"\")
+       message FAIL pass011f \"\" \"Username \\\`$username' has an empty 
password field.\"
+       ;;
+      $Tiger_Passwd_Hashes|\*)
+       ;;
+      *)
+       message WARN pass013w \"\" \"Username \\\`$username' is not using an 
acceptable password hash ($passwd).\"
+       ;;
+      esac"
   done
 
 #  $AWK -F: '{print $3}' $WORKDIR/p1uid.$$ |
@@ -131,12 +140,24 @@ do
     }
   done
 
-  $AWK -F: 'NF != 7 {print}' $WORKDIR/p1uid.$$ |
-  while read entry
+  $AWK -F: "\$3 > $Tiger_Accounts_Trust {print \$6}" $WORKDIR/p1uid.$$ |
+  $SORT |
+  $UNIQ -c |
+  while read times homedir
   do
-    message WARN pass003w "$entry" "Malformed entry in $src1:"
+    [ $times -gt 1 ] && {
+      message WARN pass012w "" "Home directory $homedir exists multiple times 
($times) in $src1."
+    }
   done
-  
+
+  if [ ! -n "$PWCK" ]; then
+    $AWK -F: 'NF != 7 {print}' $WORKDIR/p1uid.$$ |
+    while read entry
+    do
+      message WARN pass003w "$entry" "Malformed entry in $src1:"
+    done
+  fi
+
   $GREP -v "^$passwd1\$" $WORKDIR/pass2.$$ |
   while read passwd2
   do
@@ -186,8 +207,8 @@ $OUTPUTMETHOD
 
 [ -n "$PWCK" ] && {
   # TODO: Add the results to the report
-  pwckerr=`$PWCK /etc/passwd /etc/shadow >/dev/null 2>&1`
-  if [ $? -ne 0 ] ; then
+  pwckerr=`$PWCK /etc/passwd /etc/shadow 2>&1`
+  if [ -n "$pwckerr" ] ; then
     message WARN pass006w "" "Integrity of password files questionable 
($PWCK)."
   fi
 }
Index: systems/HPUX/genpasswd
===================================================================
RCS file: /usr/local/taracvs/tiger-3.2/systems/HPUX/genpasswd,v
retrieving revision 1.1.1.1
diff -u -p -r1.1.1.1 genpasswd
--- systems/HPUX/genpasswd      27 May 2003 23:13:52 -0000      1.1.1.1
+++ systems/HPUX/genpasswd      24 Jun 2003 16:04:52 -0000
@@ -24,15 +24,52 @@ local=0
 for parm
 do
   case "$parm" in
-    -p) ;;
+    -p) passwordflag=Y;;
     -l) local=1;;
     *) outfile="$parm";;
   esac
 done
 
+zappasswd()
+{
+  IFS=:
+  while read user passwd rest
+  do
+    tcbfile="/tcb/files/auth/${user%${user#?}}/$user"
+    if [ -f $tcbfile ]; then
+      passwd=`$AWK -F: '/u_pwd=/ { print substr($2, 7) }' $tcbfile`
+    fi
+
+    case $passwd in
+      # bigcrypt passwords used in trusted mode. (13 + (x * 11))
+      
[a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./]+([a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./]))
+           passwd="bigcrypt"
+           ;;
+      # Normal UNIX passwds (13 chars)
+      
[a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./]?(,[a-zA-Zo-9\.]+))
+           passwd="crypt3"
+           ;;
+      "")
+          passwd=""
+           ;;
+      *)
+           passwd="*"
+           ;;
+    esac
+    echo "$user:$passwd:$rest"
+  done
+}
 
 $GREP -v '^[-+]' /etc/passwd |
-$SORT > $WORKDIR/etc_passwd.$$
+$SORT |
+{
+  if [ "$passwordflag" = 'Y' ]; then
+    $CAT
+  else
+    zappasswd
+  fi
+} > $WORKDIR/etc_passwd.$$
+
 echo "/etc/passwd" > $WORKDIR/etc_passwd.$$.src
 echo $WORKDIR/etc_passwd.$$ >> $outfile
 
Index: systems/Linux/2/gen_passwd_sets
===================================================================
RCS file: /usr/local/taracvs/tiger-3.2/systems/Linux/2/gen_passwd_sets,v
retrieving revision 1.2
diff -u -p -r1.2 gen_passwd_sets
--- systems/Linux/2/gen_passwd_sets     13 Jun 2003 03:27:08 -0000      1.2
+++ systems/Linux/2/gen_passwd_sets     24 Jun 2003 16:04:52 -0000
@@ -116,7 +116,14 @@ do
                fi
 
            else
-               $CAT /etc/passwd > $WORKDIR/etc_passwd.$$
+                $CAT /etc/passwd |
+                {
+                        if [ "$passwordflag" = 'Y' ]; then
+                                $CAT
+                        else
+                                zappasswd
+                        fi
+                } > $WORKDIR/etc_passwd.$$
                echo "/etc/passwd" > $WORKDIR/etc_passwd.$$.src
                echo $WORKDIR/etc_passwd.$$ >> $outfile
            fi





reply via email to

[Prev in Thread] Current Thread [Next in Thread]