08-30-2009
Periodic check of user password strength
I need to periodically run a check on the passwords of the users (Redhat 5.0) to verify that all passwords meet minimal standards. I remember seeing a script years ago that grabbed the encrypted passwords from the file and checked if they matched any of the encrypted strings in another file, plus it checked to see if they were just guessable variants of the username, etc.
I would like to find a similar script to run periodically on the servers. We have students putting up webservers for research purposes and sometimes they bypass security measures such as directly inserting the "new" password into the shadow file instead of using passwd().
8 More Discussions You Might Find Interesting
1. UNIX for Dummies Questions & Answers
I'm not sure if this is the right forum for this or not but we use a program called "Password Safe" to store the many root passwords we have for our Unix system.
Now we are being called out by our security team to prove that this is a safe program to use. So far I have been able to determine... (1 Reply)
Discussion started by: keelba
1 Replies
2. UNIX for Advanced & Expert Users
Helo ,
I m using linux pam library for user and its password authentication.
I m creating new user and giving its password.I m giving password of 10 characters.now when I login in as that newly created user its ask me
$ su - ram
Password:
You are required to change your password immediately... (12 Replies)
Discussion started by: amitpansuria
12 Replies
3. Programming
Hello,
I'm implementing a very simple FTP client, and to do the login I would like to check against system users instead of using my own database, so that I can give the proper permissions to the newly created process that I spawn with fork. What's the best way for doing this in C?
I've read... (4 Replies)
Discussion started by: royger
4 Replies
4. UNIX for Dummies Questions & Answers
For moderator: I made a new thread in a proper part of the forum now https://www.unix.com/homework-coursework-questions/137119-user-processes.html
But now i wan't to make something which isn't related to a homework, so i hope
you won't close this one. Thanks to those two answers, you helped me!... (9 Replies)
Discussion started by: petel1
9 Replies
5. AIX
I have an AIX server running 6.1. My SAN switch is reporting that it is only receiving 5.9 uWatts (micro watts) and it should be well over 100 uWatts. How can I see the transmit strength of my fiber card from within AIX? I have Emulex fiber cards. (1 Reply)
Discussion started by: kah00na
1 Replies
6. Programming
Hi
I have a periodic task (with the highest priority) which I away every X nano-second.
I am using the function clock_nanosleep with REAL_TIME timer.
when I wake up, I versify that I was awake on time,
and check if the delta between the last time I get to sleep and the current time is X... (4 Replies)
Discussion started by: laro1983
4 Replies
7. Cybersecurity
I have read the forums for strengthing the openssl ciphers on a server and the following command I can run:
openssl ciphers -v 'TLSv1+HIGH:!SSLv2:RC4!MEDIUM:!aNULL:!eNULL:!3DES:!EXPORT:@STRENGTH'
I have some services that cannot be set to higher levels like you can set in an httpd.conf file.... (1 Reply)
Discussion started by: hydrashok158
1 Replies
8. HP-UX
Hi Guys,
I am new to HP-UX and want to find expiration date of particular user please also note i don't have root access on that server.
for e.g.
i have user abc on my HP box and want to know when its password going to expire and also when its password changed last time.
I also try to... (7 Replies)
Discussion started by: Yasin Rakhangi
7 Replies
LEARN ABOUT LINUX
chpasswd
CHPASSWD(8) System Management Commands CHPASSWD(8)
NAME
chpasswd - update passwords in batch mode
SYNOPSIS
chpasswd [options]
DESCRIPTION
The chpasswd command reads a list of user name and password pairs from standard input and uses this information to update a group of
existing users. Each line is of the format:
user_name:password
By default the passwords must be supplied in clear-text, and are encrypted by chpasswd. Also the password age will be updated, if present.
By default, passwords are encrypted by PAM, but (even if not recommended) you can select a different encryption method with the -e, -m, or
-c options.
Except when PAM is used to encrypt the passwords, chpasswd first updates all the passwords in memory, and then commits all the changes to
disk if no errors occured for any user.
When PAM is used to encrypt the passwords (and update the passwords in the system database) then if a password cannot be updated chpasswd
continues updating the passwords of the next users, and will return an error code on exit.
This command is intended to be used in a large system environment where many accounts are created at a single time.
OPTIONS
The options which apply to the chpasswd command are:
-c, --crypt-method METHOD
Use the specified method to encrypt the passwords.
The available methods are DES, MD5, NONE, and SHA256 or SHA512 if your libc support these methods.
By default, PAM is used to encrypt the passwords.
-e, --encrypted
Supplied passwords are in encrypted form.
-S, --stdout
Report encrypted passwords to stdout instead of updating password file.
-h, --help
Display help message and exit.
-m, --md5
Use MD5 encryption instead of DES when the supplied passwords are not encrypted.
-s, --sha-rounds ROUNDS
Use the specified number of rounds to encrypt the passwords.
The value 0 means that the system will choose the default number of rounds for the crypt method (5000).
A minimal value of 1000 and a maximal value of 999,999,999 will be enforced.
You can only use this option with the SHA256 or SHA512 crypt method.
By default, the number of rounds is defined by the SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS variables in /etc/login.defs.
CAVEATS
Remember to set permissions or umask to prevent readability of unencrypted files by other users.
CONFIGURATION
The following configuration variables in /etc/login.defs change the behavior of this tool:
SHA_CRYPT_MIN_ROUNDS (number), SHA_CRYPT_MAX_ROUNDS (number)
When ENCRYPT_METHOD is set to SHA256 or SHA512, this defines the number of SHA rounds used by the encryption algorithm by default (when
the number of rounds is not specified on the command line).
With a lot of rounds, it is more difficult to brute forcing the password. But note also that more CPU resources will be needed to
authenticate users.
If not specified, the libc will choose the default number of rounds (5000).
The values must be inside the 1000-999999999 range.
If only one of the SHA_CRYPT_MIN_ROUNDS or SHA_CRYPT_MAX_ROUNDS values is set, then this value will be used.
If SHA_CRYPT_MIN_ROUNDS > SHA_CRYPT_MAX_ROUNDS, the highest value will be used.
Note: This only affect the generation of group passwords. The generation of user passwords is done by PAM and subject to the PAM
configuration. It is recommended to set this variable consistently with the PAM configuration.
FILES
/etc/passwd
User account information.
/etc/shadow
Secure user account information.
/etc/login.defs
Shadow password suite configuration.
/etc/pam.d/chpasswd
PAM configuration for chpasswd.
SEE ALSO
passwd(1), newusers(8), login.defs(5), useradd(8).
System Management Commands 06/24/2011 CHPASSWD(8)