[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Tiger-devel] [PATCH] updated password checks for Linux and HP-UX
From: |
rbradetich |
Subject: |
[Tiger-devel] [PATCH] updated password checks for Linux and HP-UX |
Date: |
Tue, 24 Jun 2003 13:15:36 -0600 |
User-agent: |
Mutt/1.5.3i |
Hello all,
The attached patch does the following:
* Add a duplicate user home directory check.
* Add an acceptable cryptographic hash check.
* Do not check for malformed password entries if PWCK is defined
(redundant check)
* Modify PWCK check to work with HP-UX's pwck. (HP-UX always returns
with an error code 0)
* Identify the password hashes in HP-UX (Trusted and un-trusted mode)
* Identify passwords hases in Linux when not using shadow passwords.
This patch are built on top the patches I have already submitted to the debian
bug tracking system.
If this is not convienent, let me know and I will re-diff against the source of
your choice.
Also for administrative purposes, do you prefer lots of smaller patches, or
larger patches that
focus on one area (i.e. passwords).
I am willing to do either :)
This patch has been tested on HP-UX 11.11, 11.00, 10.20, Debian Linux, and
RedHat Linux.
Thanks and feedback/discussion welcome!
- Ryan
Index: tigerrc
===================================================================
RCS file: /usr/local/taracvs/tiger-3.2/tigerrc,v
retrieving revision 1.1.1.1
diff -u -p -r1.1.1.1 tigerrc
--- tigerrc 27 May 2003 23:13:52 -0000 1.1.1.1
+++ tigerrc 24 Jun 2003 16:04:52 -0000
@@ -112,6 +112,10 @@ Tiger_Global_PATH="/etc/profile /etc/csh
# A simple space delimited list.
Tiger_Passwd_Constraints="PASS_MIN_DAYS PASS_MAX_DAYS PASS_WARN_AGE
PASS_MIN_LEN"
#
+# Acceptable password hashes.
+# List of password hashes separated by '|'... no whitespaces
+Tiger_Passwd_Hashes='crypt3|md5'
+#
# Number of days of non-modified files in the home directory for a user
# to be considered dormant (setting = 0 disables this check)
Tiger_Dormant_Limit=60
Index: doc/passwd.txt
===================================================================
RCS file: /usr/local/taracvs/tiger-3.2/doc/passwd.txt,v
retrieving revision 1.2
diff -u -p -r1.2 passwd.txt
--- doc/passwd.txt 13 Jun 2003 03:42:26 -0000 1.2
+++ doc/passwd.txt 24 Jun 2003 16:04:52 -0000
@@ -37,3 +37,10 @@ indicates a configuration problem and sh
%pass011f
The listed username has an empty password string. This will allow any user
to gain access to the account without being prompted for a password.
+%pass012w
+The listed home directory is specified for multiple users. This can lead to
+denial-of-service and unexpected resource usage (i.e. shell initialization
+files, etc) if not corrected.
+%pass013w
+The listed username is not using an acceptable, cryptographic method for the
+password hash.
Index: scripts/check_passwd
===================================================================
RCS file: /usr/local/taracvs/tiger-3.2/scripts/check_passwd,v
retrieving revision 1.3
diff -u -p -r1.3 check_passwd
--- scripts/check_passwd 13 Jun 2003 03:42:26 -0000 1.3
+++ scripts/check_passwd 24 Jun 2003 16:04:52 -0000
@@ -111,10 +111,19 @@ do
}
done
- $AWK -F: '$2 == "" {print $1}' $WORKDIR/p1uid.$$ |
- while read username
+ $AWK -F: '{print $1,$2}' $WORKDIR/p1uid.$$ |
+ while read username passwd
do
- message FAIL pass011f "" "Username \`$username' has an empty password
field."
+ eval "case \"$passwd\" in
+ \"\")
+ message FAIL pass011f \"\" \"Username \\\`$username' has an empty
password field.\"
+ ;;
+ $Tiger_Passwd_Hashes|\*)
+ ;;
+ *)
+ message WARN pass013w \"\" \"Username \\\`$username' is not using an
acceptable password hash ($passwd).\"
+ ;;
+ esac"
done
# $AWK -F: '{print $3}' $WORKDIR/p1uid.$$ |
@@ -131,12 +140,24 @@ do
}
done
- $AWK -F: 'NF != 7 {print}' $WORKDIR/p1uid.$$ |
- while read entry
+ $AWK -F: "\$3 > $Tiger_Accounts_Trust {print \$6}" $WORKDIR/p1uid.$$ |
+ $SORT |
+ $UNIQ -c |
+ while read times homedir
do
- message WARN pass003w "$entry" "Malformed entry in $src1:"
+ [ $times -gt 1 ] && {
+ message WARN pass012w "" "Home directory $homedir exists multiple times
($times) in $src1."
+ }
done
-
+
+ if [ ! -n "$PWCK" ]; then
+ $AWK -F: 'NF != 7 {print}' $WORKDIR/p1uid.$$ |
+ while read entry
+ do
+ message WARN pass003w "$entry" "Malformed entry in $src1:"
+ done
+ fi
+
$GREP -v "^$passwd1\$" $WORKDIR/pass2.$$ |
while read passwd2
do
@@ -186,8 +207,8 @@ $OUTPUTMETHOD
[ -n "$PWCK" ] && {
# TODO: Add the results to the report
- pwckerr=`$PWCK /etc/passwd /etc/shadow >/dev/null 2>&1`
- if [ $? -ne 0 ] ; then
+ pwckerr=`$PWCK /etc/passwd /etc/shadow 2>&1`
+ if [ -n "$pwckerr" ] ; then
message WARN pass006w "" "Integrity of password files questionable
($PWCK)."
fi
}
Index: systems/HPUX/genpasswd
===================================================================
RCS file: /usr/local/taracvs/tiger-3.2/systems/HPUX/genpasswd,v
retrieving revision 1.1.1.1
diff -u -p -r1.1.1.1 genpasswd
--- systems/HPUX/genpasswd 27 May 2003 23:13:52 -0000 1.1.1.1
+++ systems/HPUX/genpasswd 24 Jun 2003 16:04:52 -0000
@@ -24,15 +24,52 @@ local=0
for parm
do
case "$parm" in
- -p) ;;
+ -p) passwordflag=Y;;
-l) local=1;;
*) outfile="$parm";;
esac
done
+zappasswd()
+{
+ IFS=:
+ while read user passwd rest
+ do
+ tcbfile="/tcb/files/auth/${user%${user#?}}/$user"
+ if [ -f $tcbfile ]; then
+ passwd=`$AWK -F: '/u_pwd=/ { print substr($2, 7) }' $tcbfile`
+ fi
+
+ case $passwd in
+ # bigcrypt passwords used in trusted mode. (13 + (x * 11))
+
[a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./]+([a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./]))
+ passwd="bigcrypt"
+ ;;
+ # Normal UNIX passwds (13 chars)
+
[a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./][a-zA-Z0-9\./]?(,[a-zA-Zo-9\.]+))
+ passwd="crypt3"
+ ;;
+ "")
+ passwd=""
+ ;;
+ *)
+ passwd="*"
+ ;;
+ esac
+ echo "$user:$passwd:$rest"
+ done
+}
$GREP -v '^[-+]' /etc/passwd |
-$SORT > $WORKDIR/etc_passwd.$$
+$SORT |
+{
+ if [ "$passwordflag" = 'Y' ]; then
+ $CAT
+ else
+ zappasswd
+ fi
+} > $WORKDIR/etc_passwd.$$
+
echo "/etc/passwd" > $WORKDIR/etc_passwd.$$.src
echo $WORKDIR/etc_passwd.$$ >> $outfile
Index: systems/Linux/2/gen_passwd_sets
===================================================================
RCS file: /usr/local/taracvs/tiger-3.2/systems/Linux/2/gen_passwd_sets,v
retrieving revision 1.2
diff -u -p -r1.2 gen_passwd_sets
--- systems/Linux/2/gen_passwd_sets 13 Jun 2003 03:27:08 -0000 1.2
+++ systems/Linux/2/gen_passwd_sets 24 Jun 2003 16:04:52 -0000
@@ -116,7 +116,14 @@ do
fi
else
- $CAT /etc/passwd > $WORKDIR/etc_passwd.$$
+ $CAT /etc/passwd |
+ {
+ if [ "$passwordflag" = 'Y' ]; then
+ $CAT
+ else
+ zappasswd
+ fi
+ } > $WORKDIR/etc_passwd.$$
echo "/etc/passwd" > $WORKDIR/etc_passwd.$$.src
echo $WORKDIR/etc_passwd.$$ >> $outfile
fi
- [Tiger-devel] [PATCH] updated password checks for Linux and HP-UX,
rbradetich <=