Login or Register to Ask a Question and Join Our Community


AIX

Verifying a users password on AIX setup with LPA

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Operating Systems AIX Verifying a users password on AIX setup with LPA
# 1  
Old 11-26-2015
Verifying a users password on AIX setup with LPA
Hello,

We're running AIX 6 & 7.

Previously we were using the old encryption techinique (DES/crypt)
I have a GUI application that has a verify button (the verify button is sort of a digital signature) - the user clicks it, enters his or her password and we then make a call to a C module, This grabs the hash value password from the shadow file.
We then grab the salt from the hashed value and make a to the crypt function, which returns an encrypted string that we compare to the shadow string to verify the user is valid.

We've now introduced LPA onto our server which has effectively broken our verification.

I've looked at the "authenticate" function provided by libc, however, I have been unable to make this work (doesnt seem to do anything).
The manpage for the crypt function seems to signify that you can use LPA, but again, I havent been able to make this work either. I believe I am passing in the correct salted value, but the string returned is always different so there's no way to match the hashed string with this one.

Would anyone know of an alternative way to verify a user on the system from within an application (without dropping them out to a commandline) ?

Thanks,

Chris
# 2  
Old 11-26-2015
You can create password hashes with openssl.
For example:
Code:
echo test123 | openssl passwd -stdin
echo test123 | openssl passwd -stdin -1

And with a fixed salt
Code:
echo test123 | openssl passwd -stdin -1 -salt AB

There might be other crypt methods available, see
Code:
openssl enc -c -help

# 3  
Old 11-27-2015
if only LPA was changed, authenticate() works quite well:

Code:
$ cat checkpw.c
#include <sys/types.h>
#include <stdio.h>
#include <unistd.h>
#include <limits.h>
#include <userpw.h>

int main(int argc, char *argv[])
{
        char *username, *pw, *msg = (char *)NULL;
        struct userpw *up;
        int rc, reenter;

        if (argc > 2) {
                fprintf(stderr, "Usage: %s [username]\n", argv[0]);
                return 2;
        }

        if (argc == 2) {
                /* username is in argv[1] */
                username = (char *)calloc(strlen(argv[1])+1, 1);
                if (!username) {
                        fprintf(stderr, "can't allocate memory for username\n");
                        return 3;
                }
                strncpy(username, argv[1], strlen(argv[1]));
        }

        if (argc == 1) {
                /* get current user */
                username = (char *)calloc(PW_NAMELEN + 1, 1);
                if (!username) {
                        fprintf(stderr, "can't allocate memory for username\n");
                        return 3;
                }
                rc = getlogin_r(username, PW_NAMELEN);
                if (rc) {
                        fprintf(stderr, "can't get current user's name, RC=%d\n", rc);
                        return 4;
                }
        }

        printf("Checking password for user %s\n", username);

        pw = getpass("Enter password: ");
        if (!pw) {
                fprintf(stderr, "can't obtain password for user %s\n", username);
                return 5;
        }

        do {
                rc = authenticate(username, pw, &reenter, &msg);
                if (msg) {
                        if (!reenter) {
                                fputs(msg, stderr);
                        }
                        free(msg);
                        msg = (char *)NULL;
                }
        } while (reenter);
        return rc;
}

Compilation:
Code:
$ cc checkpw.c -o checkpw

Check:
Code:
$ grep -p user /etc/security/passwd
user:
        password = {ssha512}06$verylongpassword
        lastupdate = 1448619478

$ ./checkpw user
Checking password for user user
Enter password:
$ echo $?
0

# 4  
Old 11-27-2015
It's working!
Thanks very much for both replies - I was certainly looking into the authenticate function as an alternative, but was having difficulty getting it to return anything useful, or anything at all really.

As it turns out, I forgot to give the program the proper low-level ownership/permissions, so it would always fail.

For those interested, the program needs to be owned by a root-level user/group and have 4755 permissions for it to be able to access the authentication level calls.

Again, thanks a bunch!


Chris

---------- Post updated at 03:28 PM ---------- Previous update was at 10:09 AM ----------

Another update on this for enquiring minds!

Previously, our crypt() call was in a shared object - and this used to work (still does with the old encryption method, (non-LPA) ). However, from what i've been able to tell, calls to crypt() using LPA currently require that the program have a proper authoritative owner and permissions, meaning if you create a stand-alone executable and give it the same permissions as listed above (and the proper salt), the crypt() function will work without issue.
This User Gave Thanks to evansch For This Post:
MadeInGermany
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. UNIX for Beginners Questions & Answers

New to AIX: How do I setup high availability on an AIX System

I am new to AIX but not new to unix. I have an interview for an AIX systems admin position and I know they want someone who has knowledge of High Availability, Failover and LPARs From my research so far, It appear powerha is used to setup high availability and failover on Power systems but is... (2 Replies)
Discussion started by: mathisecure
2 Replies

2. Red Hat

SSH password less setup asking for password

Hello Experts, when I am trying to connect my target server through sftp after creating ssh password less setup, it is asking for passowrd to connect. to setup this I followed below process: -->generated keys by executing the command "ssh-keygen -t rsa" -->this created my .ssh directory... (9 Replies)
Discussion started by: Devipriya Ch
9 Replies

3. AIX

Change password for many users on an AIX server

Hi I want to change password for around 100 users on an aix server. I have the list of those 100 users with me. instead of doing # passwd username for all the 100 users one by one, can you please help with a script through which we can change the password for all the 100 users in a... (2 Replies)
Discussion started by: newtoaixos
2 Replies

4. UNIX for Advanced & Expert Users

Setup Samba Server to always ask user and password

How do I setup a Samba server to always ask to user and password, when a windows user, prints your files using a shared printer through a Samba Linux Server (CUPS)? (0 Replies)
Discussion started by: viga
0 Replies

5. Solaris

How can i setup ssh password-less login for particular user?

HI Community. I was trying to create ssh password less authentication for one user called night and it's not working for me. These are the steps I followed:- I have logged into the server and issued ssh-ketgen -t rsabash-3.2$ ssh-keygen -t rsa Generating public/private rsa key pair.... (4 Replies)
Discussion started by: bentech4u
4 Replies

6. Shell Programming and Scripting

How to setup a password less ftp??

hi, i want to setup a password less FTP to a remote server so that i can ftp to a remote server without the password. i have setup a passwordless ssh and i am able to use scp commands to connect to the remote server without asking for the password. but when i try to ftp to the same remote... (6 Replies)
Discussion started by: Little
6 Replies

7. Red Hat

how to setup An extra account with name 'unixuser' who can have the previlege to reset other users?

Hi I want to setup an extra account with name 'unixuser' who has the previlege to reset the passwords of other users like eng or myuser (other user). Please help me.. Waiting for a reply.. Thanks, MJavalkar (1 Reply)
Discussion started by: mjavalkar
1 Replies

8. Red Hat

setup sudo for cmd exec w/o password

i need to set up a user to execute a restricted command as another user and to be able to do so without entering a password. I understand the security concerns but let's not go there, unless you are really compelled to do so... The directive to permit is that I believe should work and did add to... (2 Replies)
Discussion started by: twk
2 Replies

9. Red Hat

SSH Prompts for Password After Keys Setup Successfully

I setup the keys between 2 servers, but my user account has no password specified for it (never set one up on the account for security reasons). When I try to SSH to the server, SSH prompts for a password that doesn't exist (so I can never connect successfully). Note: 'passwd -d Rynok' removes... (3 Replies)
Discussion started by: Rynok
3 Replies

10. UNIX for Dummies Questions & Answers

documentation for beginners setup virtual site, users, mailaccounts on raq 550

Greetings to all reading this, I am a Linux/Unix newbie webmaster with a dedicated server, a RaQ 550. I am looking for some step by step documentation about managing a server with shell (not the GUI), from adding a virtual site to adding users, email accounts etc. I can find only parts of this... (0 Replies)
Discussion started by: rolandk
0 Replies
Login or Register to Ask a Question