Summary: random generator to change root password regularly - scripting help needed

From: Gold Sun <goldsun8_at_yahoo.com.sg>
Date: Tue May 31 2005 - 11:38:57 EDT
Hi,
 
Thanks for the many help - I've included most of the good responses
below.  In particular Mike Salehi & Simon Burr put in a lot of effort
with their scripts.
 
Many asked why need a root password if system admins dont need
it - well, I dont understand it myself why Cisco's Netflow application
requires it & this application would fail to generate network utilization
report if root password expires.  I guess the scripts provided by Mike
& Simon to modify /etc/shadow will extend the root password's
expiry by another 30 days (ie the number of days it currently took
to expire root password after a new password has been set).
 
My colleague was teasing me that Netflow application running on
AIX would still generate report despite the root password on AIX
has expired - well, I'm not sure if I should believe him as he's
probably an AIX advocate.
 
 
Thanks
G Sun
====================================================

>From : Mike Salehi
OK here is my code, you need to strip out a lot you do not need, in 
this
script I have all the passwords and encrypt it and check agains the 
shadow
to see if its ok.
=
#!/usr/bin/perl
$pass=$ARGV[0];
open (PASS,"$pass") || die ("Cannot open $pass");
while ($line = <PASS>){

   chomp($line);
   @info_file=split(/ /,$line);
   $node=@info_file[0];
   $passwd_file=$info_file[1];
   $actual_passwd=`/apps/ektools/bin/rcmd -g $node grep root 
/etc/shadow
2>/dev/
null`;
   @info_real=split(/:/,$actual_passwd);
   $passwd_real=$info_real[1];
   $salt=substr($passwd_real,0,2);
   $passwd_real_pass=substr($passwd_real,2,11);
   $passwd_file_encrypted=crypt($passwd_file,$salt);
   $passwd_file_encrypted_pass=substr($passwd_file_encrypted,2,11);
   if($passwd_file_encrypted_pass  eq $passwd_real_pass ){
     print "\n$node  matches the file\n";
   }
   else{
     print"\nWarning $node does not match \n";
   }
  }
close(PASS);
----------------------------------------------
Hi,
 
For Solaris, there is no way to do this (that I know at least) other than using Expect. TCL/TK is also required as a front end of Expect. Expect comes with a script called autopasswd so you would not need Perl.
 
EP
 
--------------------------------------------------------------------

Hi,
 
Thanks for your offer, but I would rather have a simple
Shell script to do this as Expect requires Tcl to be installed.
 
I've tried :
 
# npw="Newpass9"
# (echo $npw; echo $npw) | passwd root
New Password:
(still prompts me for password - so not working)
Re-enter new Password:
#
#
# npw="Newpass9\n"   (I insert a linefeed character \n)
# echo $npw
Newpass9
               <== there's an extra line now due to \n
# (echo $npw; echo $npw) | passwd root
New Password:
(still prompts for password)
Re-enter new Password:
# passwd root < echo $npw
echo: cannot open
Is there no way out other than using Perl & Expect?
 
 
Thanks
G Sun
---------------------------------------------------------------------------------------------------
If the admins don't need the root password -- does there even need to
BE a root password? No root password = impossible to crack it.
otherwise, something like this MIGHT work:
(newpass="`generate_pass`"; echo $newpass; echo $newpass) | passwd
Wesley W. Garland
---------------------------------------------------------------------------------------------------
> Hi,
>  
> We have hardened Solaris boxes where administrators do
> not need to know the root password (as we just do 'sudo -s').
>  
> It's the policy here that all passwords including root's must
> expire every 3 months but this created a problem to an
> application that would fail if the root password expires.
>  
> I have an idea/solution that the security person is agreeable :
> "set up a script in crontab which runs every 90 days to
> change the password to a randomly generated password"
It looks to me that you'll soon end without root acess
at first glance looks like nice feature, but 
can you check some scenarios where lack of root 
passwd disable your access to machine
what about sudo stop functiong ??
It can be rather dangerous in some DR or accident situations
>  
> I've obtained a standalone tool from a TACACS application
> that would generate a different hashed password each time
> it's run even though the same fixed string(contained in the
> file input.txt) is input into it :
> ./generate_pass < input.txt
>   Password to be encrypted: J58rSyCjtnUhQ
> ./generate_pass < input.txt
>   Password to be encrypted: 2ZwWQZxHplNA.
There are some expect tools for passwd handling
check at expect.nist.gov
Damir
 
====================================
 
When it comes to the creation of the random password you shouldn't use
the generate_pass command you got from TACACS; I'm guessing that you'll
find that the "random string" is actually the plain text password from
the input.txt file encrypted using the crypt() function. The reason why
its different each time is due to the salting of the DES function - the
first two letters of the hashed password indicate the salt used and are
passed as is into the crypt() function.
Better would be to actually generate a random password each time; you
can do this by using nawk (supplied with Solaris):
 % nawk 'BEGIN { srand(); for(x=0;x<8;x++) { p=p 
sprintf("%c",int(rand()*77)+40); } print p; }'
Alternative if you are using Solaris 9 or have perl installed then you 
can
do everything in a single script:
  #!/usr/bin/perl -w
  
  use strict;
  
  my $shadow="/etc/shadow";
  my @Salt=("a".."z","A".."Z",0..9,".","/");
  
  my ($uid,$gid)=(stat($shadow))[4,5];
  (defined $uid) || die "$0: Failed to stat(\"$shadow\") - $!\n";
  
  my $pass="";
  map { $pass=$pass . sprintf("%c",int(rand(93))+33) } (1..8);
  my $unx=crypt($pass,$Salt[int(rand($#Salt + 1))] . 
$Salt[int(rand($#Salt + 1))]);
  
  open(OLD,$shadow) || die "$0: Failed to open $shadow for reading - 
$!\n";
  open(NEW,">$shadow.new") || die "$0: Failed to open $shadow.new for 
writing - $!\n";
  chmod(0600,"$shadow.new") || die "$0: Failed to 
chmod(0600,\"$shadow.new\") - $!\n";
  
  while(<OLD>) {
    s/^(root):[^:]+:(.*)$/$1:$unx:$2/;
    print NEW $_;
  }
  
  if (!close(OLD)) {
    unlink("$shadow.new");
    die "$0: Failed to close file handle on $shadow - $!\n";
  }
  if (!close(NEW)) {
    unlink("$shadow.new");
    die "$0: Failed to chown($uid,$gid,\"$shadow.new\") - $!\n";
  }
  
  if (!rename("$shadow.new",$shadow)) {
    unlink("$shadow.new");
    die "$0: Failed to rename(\"$shadow.new\",\"$shadow\") - $!\n";
  }
  
  exit 0;
When the above script is run as root it will change the encrypted root 
password in
/etc/shadow to random value; the passwords so generated look similar to 
the
following examples: dlr31!6_ D4rUI/O. v,;)|jkj ngp73xwM
  
    Simon Burr    

 

*************** Original question : **********************

Hi,

We have hardened Solaris boxes where administrators do
not need to know the root password (as we just do 'sudo -s').

It's the policy here that all passwords including root's must
expire every 3 months but this created a problem to an
application that would fail if the root password expires.

I have an idea/solution that the security person is agreeable :
"set up a script in crontab which runs every 90 days to
change the password to a randomly generated password"

I've obtained a standalone tool from a TACACS application
that would generate a different hashed password each time
it's run even though the same fixed string(contained in the
file input.txt) is input into it :
./generate_pass < input.txt
Password to be encrypted: J58rSyCjtnUhQ
./generate_pass < input.txt
Password to be encrypted: 2ZwWQZxHplNA.

The problem I'm facing is how to feed the encrypted password
into the "passwd root" command if someone could help me
with some Shell scripting here :
a)"passwd root" command will prompt for password twice
- so how can we feed the encrypted string into
"passwd root"
b)note that we should not run generate_pass twice as it
will create a different password - we need to enter the
same password twice (2nd time is confirmation)


Thanks for any help
G Sun



 Yahoo! Mobile
- Download the latest ringtones, games, and more!
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Tue May 31 11:39:18 2005

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:47 EST