Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Periodic check of user password strength
Special Forums Cybersecurity Periodic check of user password strength Post 302348971 by tlynnch on Sunday 30th of August 2009 02:48:50 PM
Old 08-30-2009
Periodic check of user password strength
I need to periodically run a check on the passwords of the users (Redhat 5.0) to verify that all passwords meet minimal standards. I remember seeing a script years ago that grabbed the encrypted passwords from the file and checked if they matched any of the encrypted strings in another file, plus it checked to see if they were just guessable variants of the username, etc.

I would like to find a similar script to run periodically on the servers. We have students putting up webservers for research purposes and sometimes they bypass security measures such as directly inserting the "new" password into the shadow file instead of using passwd().
 

8 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Password safe encryption strength

I'm not sure if this is the right forum for this or not but we use a program called "Password Safe" to store the many root passwords we have for our Unix system. Now we are being called out by our security team to prove that this is a safe program to use. So far I have been able to determine... (1 Reply)
Discussion started by: keelba
1 Replies

2. UNIX for Advanced & Expert Users

password verification verify password of a user for only first 8 characters

Helo , I m using linux pam library for user and its password authentication. I m creating new user and giving its password.I m giving password of 10 characters.now when I login in as that newly created user its ask me $ su - ram Password: You are required to change your password immediately... (12 Replies)
Discussion started by: amitpansuria
12 Replies

3. Programming

Best way to check for system user and password in C

Hello, I'm implementing a very simple FTP client, and to do the login I would like to check against system users instead of using my own database, so that I can give the proper permissions to the newly created process that I spawn with fork. What's the best way for doing this in C? I've read... (4 Replies)
Discussion started by: royger
4 Replies

4. UNIX for Dummies Questions & Answers

Check password strength

For moderator: I made a new thread in a proper part of the forum now https://www.unix.com/homework-coursework-questions/137119-user-processes.html But now i wan't to make something which isn't related to a homework, so i hope you won't close this one. Thanks to those two answers, you helped me!... (9 Replies)
Discussion started by: petel1
9 Replies

5. AIX

How to find TX and RX strength?

I have an AIX server running 6.1. My SAN switch is reporting that it is only receiving 5.9 uWatts (micro watts) and it should be well over 100 uWatts. How can I see the transmit strength of my fiber card from within AIX? I have Emulex fiber cards. (1 Reply)
Discussion started by: kah00na
1 Replies

6. Programming

Periodic thread with clock_nanosleep

Hi I have a periodic task (with the highest priority) which I away every X nano-second. I am using the function clock_nanosleep with REAL_TIME timer. when I wake up, I versify that I was awake on time, and check if the delta between the last time I get to sleep and the current time is X... (4 Replies)
Discussion started by: laro1983
4 Replies

7. Cybersecurity

Openssl cipher strength

I have read the forums for strengthing the openssl ciphers on a server and the following command I can run: openssl ciphers -v 'TLSv1+HIGH:!SSLv2:RC4!MEDIUM:!aNULL:!eNULL:!3DES:!EXPORT:@STRENGTH' I have some services that cannot be set to higher levels like you can set in an httpd.conf file.... (1 Reply)
Discussion started by: hydrashok158
1 Replies

8. HP-UX

How to check password expiration date of particular user?

Hi Guys, I am new to HP-UX and want to find expiration date of particular user please also note i don't have root access on that server. for e.g. i have user abc on my HP box and want to know when its password going to expire and also when its password changed last time. I also try to... (7 Replies)
Discussion started by: Yasin Rakhangi
7 Replies

LEARN ABOUT SUNOS

ckpasswd

CKPASSWD(8)						    InterNetNews Documentation						       CKPASSWD(8)

NAME

       ckpasswd - nnrpd password authenticator

SYNOPSIS

       ckpasswd [-gs] [-d database] [-f filename] [-u username -p password]

DESCRIPTION

       ckpasswd is the basic password authenticator for nnrpd, suitable for being run from an auth stanza in readers.conf.  See readers.conf(5)
       for more information on how to configure an nnrpd authenticator.

       ckpasswd accepts a username and password from nnrpd and tells nnrpd(8) whether that's the correct password for that username.  By default,
       when given no arguments, it tries to check the password using PAM if support for PAM was found when INN was built.  Failing that, it tries
       to check the password against the password field returned by getpwnam(3).  Note that these days most systems no longer make real passwords
       available via getpwnam(3) (some still do if and only if the program calling getpwnam(3) is running as root).

       When using PAM, ckpasswd identifies itself as "nnrpd", not as "ckpasswd", and the PAM configuration must be set up accordingly.	The
       details of PAM configuration are different on different operating systems (and even different Linux distributions); see EXAMPLES below for
       help getting started, and look for a pam(7) or pam.conf(4) manual page on your system.

       When using any method other than PAM, ckpasswd expects all passwords to be stored encrypted by the system crypt(3) function and calls
       crypt(3) on the supplied password before comparing it to the expected password.	If you're using a different password hash scheme (like
       MD5), you must use PAM.

OPTIONS

       -d database
	   Read passwords from a database (ndbm or dbm format depending on what your system has) rather than by using getpwnam(3).  ckpasswd
	   expects database.dir and database.pag to exist and to be a database keyed by username with the encrypted passwords as the values.

	   While INN doesn't come with a program intended specifically to create such databases, on most systems it's fairly easy to write a Perl
	   script to do so.  Something like:

	       #!/usr/bin/perl
	       use NDBM_File;
	       use Fcntl;
	       tie (%db, 'NDBM_File', '/path/to/database', O_RDWR|O_CREAT, 0640)
		   or die "Cannot open /path/to/database: $!
";
	       $| = 1;
	       print "Username: ";
	       my $user = <STDIN>;
	       chomp $user;
	       print "Password: ";
	       my $passwd = <STDIN>;
	       chomp $passwd;
	       my @alphabet = ('.', '/', 0..9, 'A'..'Z', 'a'..'z');
	       my $salt = join '', @alphabet[rand 64, rand 64];
	       $db{$user} = crypt ($passwd, $salt);
	       untie %db;

	   Note that this will echo back the password when typed; there are obvious improvements that could be made to this, but it should be a
	   reasonable start.  Sometimes a program like this will be available with the name dbmpasswd.

	   This option will not be available on systems without dbm or ndbm libraries.

       -f filename
	   Read passwords from the given file rather than using getpwnam(3).  The file is expected to be formatted like a system password file, at
	   least vaguely.  That means each line should look something like:

	       username:pdIh9NCNslkq6

	   (and each line may have an additional colon after the encrypted password and additional data; that data will be ignored by ckpasswd).
	   Lines starting with a number sign ("#") are ignored.  INN does not come with a utility to create the encrypted passwords, but htpasswd
	   (which comes with Apache) can do so and it's a quick job with Perl (see the example script under -d).  If using Apache's htpasswd
	   program, be sure to give it the -d option so that it will use crypt(3).

       -g  Attempt to look up system group corresponding to username and return a string like "user@group" to be matched against in readers.conf.
	   This option is incompatible with the -d and -f options.

       -p password
	   Use password as the password for authentication rather than reading a password using the nnrpd authenticator protocol.  This option is
	   useful only for testing your authentication system (particularly since it involves putting a password on the command line), and does
	   not work when ckpasswd is run by nnrpd.  If this option is given, -u must also be given.

       -s  Check passwords against the result of getspnam(3) instead of getpwnam(3).  This function, on those systems that supports it, reads from
	   /etc/shadow or similar more restricted files.  If you want to check passwords supplied to nnrpd(8) against system account passwords,
	   you will probably have to use this option on most systems.

	   Most systems require special privileges to call getspnam(3), so in order to use this option you may need to make ckpasswd setgid to
	   some group (like group "shadow") or even setuid root.  ckpasswd has not been specifically audited for such uses!  It is, however, a
	   very small program that you should be able to check by hand for security.

	   This configuration is not recommended if it can be avoided, for serious security reasons.  See "SECURITY CONSIDERATIONS" in
	   readers.conf(5) for discussion.

       -u username
	   Authenticate as username.  This option is useful only for testing (so that you can test your authentication system easily) and does not
	   work when ckpasswd is run by nnrpd.	If this option is given, -p must also be given.

EXAMPLES

       See readers.conf(5) for examples of nnrpd(8) authentication configuration that uses ckpasswd to check passwords.

       An example PAM configuration for /etc/pam.conf that tells ckpasswd to check usernames and passwords against system accounts is:

	   nnrpd auth	 required pam_unix.so
	   nnrpd account required pam_unix.so

       Your system may want you to instead create a file named nnrpd in /etc/pam.d with lines like:

	   auth    required pam_unix.so
	   account required pam_unix.so

       This is only the simplest configuration.  You may be able to include common shared files, and you may want to stack other modules, either
       to allow different authentication methods or to apply restrictions like lists of users who can't authenticate using ckpasswd.  The best
       guide is the documentation for your system and the other PAM configurations you're already using.

       To test to make sure that ckpasswd is working correctly, you can run it manually and then give it the username (prefixed with
       "ClientAuthname:") and password (prefixed with "ClientPassword:") on standard input.  For example:

	   (echo 'ClientAuthname: test' ; echo 'ClientPassword: testing') 
	       | ckpasswd -f /path/to/passwd/file

       will check a username of "test" and a password of "testing" against the username and passwords stored in /path/to/passwd/file.  On success,
       ckpasswd will print "User:test" and exit with status 0.	On failure, it will print some sort of error message and exit a non-zero status.

HISTORY

       Written by Russ Allbery <rra@stanford.edu> for InterNetNews.

       $Id: ckpasswd.pod 9387 2011-12-26 05:42:18Z eagle $

SEE ALSO

       crypt(3), nnrpd(8), pam(7), readers.conf(5).

INN 2.5.3							    2011-12-26							       CKPASSWD(8)
All times are GMT -4. The time now is 08:45 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy