Login or Register to Ask a Question and Join Our Community


Linux

Interpreting the encrypted shadow password?

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Operating Systems Linux Interpreting the encrypted shadow password?
# 1  
Old 03-11-2008
Interpreting the encrypted shadow password?
We are currently using a script to copy the same encrypted password between our HP-UX and Solaris servers editing the trusted and shadow files directly. The encrypted password is only 13 characters long on both servers and decrypts the same way. Is there a way to copy this same string to Linux servers?

The encrypted password in the shadow file on one of our Linux servers looks like this:
1$9EmV.jZO$YyfdtPT11aP3hE.jqX7Ve0

I've read the crypt 3 man page but I am not sure how to intrepret it. Any idea if its possible to replace 13 characters in this string to decrypt the same password?
# 2  
Old 03-11-2008
You can just go over to a Linux box, set the user's password, and see the result in the shadow file.

I do not know if encryption is identical on those three Unixes.

Your other choice: run some sort of script to update passwords remotely.
# 3  
Old 03-12-2008
Thanks Jim for the reply. The problem is that the encrypted password string on HP-UX and Solaris is 13 characters long. On Linux it is 34 characters long. I'm not sure if there are special meanings in these 34 characters or if it is just a 26 character salt or what. It would be nice if I could somehow figure out how to use the 13 character string somewhere in the Linux encryption.

We currently have an expect script to change passwords but it is painfully slow compared to the script I wrote for HP and Sun. I wanted to incorporate Linux into this script but cannot figure out how to do it.
# 4  
Old 03-12-2008
The simple answer is to identify the most secure and compatible hashing algorithm supported by all three platforms, settle on this and alter the systems configurations to honor this algorithm and use it for future password generation. Then a method to generate the passwords for each user using the same salt on all three platforms could be devised along with a way to generate the users passwd/shadow entries and then a method to add these to password/shadow files on target systems.

All of this would be simplified to a great degree if central authentication was in use, ala LDAP or NIS, unless I'm misunderstanding. Otherwise it's a poor man's directory service
# 5  
Old 03-12-2008
We use Vintella for central authorization but do not use it for root or application IDs. In an enterprise this big changing any hashing algorithms for passwords is not feasible.

It sounds like I'm SOL. I can create a different script to handle just the Linux servers but was really hoping to be able to do it in one script.
# 6  
Old 03-12-2008
.For your root and appllication passwords you can always use expect or automated ssh to batch process passwd changes driving the native platforms passwd. I've used expect for this in the past.

Code:
proc manualChange {} {
global prompt spawn_id timeout
                         expect  {
				  -i $spawn_id -re $prompt {
					             send_user "Logged in to host: $name as $username\n"
					             send "passwd\r\n"
					             expect -i $spawn_id -re ".*asswor.*" {
                                                               set new [getInput "Password change for $username on $name: "]


								send "$new\r\n"
								expect -i $spawn_id -re "\[Rr\]e.*asswor.*" {
								          send "$new\r\n"
								          expect -i $spawn_id  -re "$prompt" {										                                                  send_user "Password changed successfully for $name\n"
										                             }
										      }
							     }
					        }
                         timeout {send_user "Timed out for spawn_id: $spawn_id\n"}
			 eof {send_user "Abnormal termination for spawn_id: $spawn_id"}
			 }
}

if {[llength $argv] < 2} {puts "Please provide:\n 1. username\n 2. list of hosts" ;  exit}
set username [lindex $argv 0]
set hostlist [lrange $argv 1 [llength $argv]]
##main()
         set prompt "[lindex $argv 0]@.*|.*[lindex $argv 0].*>|.*[lindex $argv 0].*#"
         foreach name $hostlist {
	                         if {![catch {eval spawn $loginprog $username@$name} err_spawn]} {
				      puts "Connecting to $name..."
				      expect  {
				          
					      -re $prompt {
					                     send_user "Logged in to host: $name as $username\n"
							     send "passwd\r\n"
							     expect -i $spawn_id -re ".*asswor.*" {
                                                                       set new [getInput "Password change for $username on $name: "]
								       send "$new\r\n"
								       expect -i $spawn_id -re "\[Rr\]e.*asswor.*" {
										            send "$new\r\n"
										            expect -i $spawn_id  -re "$prompt" {
										                                               send_user "Password changed successfully for $name\n"
										                             }
										      }
							     }
					        }		     			
					        -re $pwprompt {
						              send_user "Log in manually and then press ^p to change password\n"
						              interact {
							                 "^P" {manualChange}
							      }
					        }		      		   		                                   
						timeout {send_user "Timed out waiting on $name\n"}
						eof {send_user "Abnormal exit for connect() to host: $name\n"}
				       }													                             
				     } else {
				        puts "ERROR: Connecting to host: $name = $err_spawn"
				     }	  
	   }

Using ssh-agent and keys this is a quick way to change passwords and also allows you to catch hosts without keys, etc...
HTH.
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Cybersecurity

Is TLS encrypted password safe?

Hello, on my android device my app autosaves my password and it encrypts by TLS im not politically exposed person, just regular entrepreneur. Should i worry if i loose my phone with TLS encrypted password? Or regular mortals or casual hackers are not able to crack it? (4 Replies)
Discussion started by: postcd
4 Replies

2. Shell Programming and Scripting

Encrypted password in script

How to keep encrypted password in a shell script.? I have the file which has the following: a.sh ----- username=abc password=abc I will be using this username and password in another script. But I don't want to reveal the password in the script. How to keep the password... (3 Replies)
Discussion started by: sanvel
3 Replies

3. UNIX for Dummies Questions & Answers

Using the encrypted password of the shadow file

i have an application that uses the encrypted password that's in the /etc/shadow file. i copied the line for the particular username i was interested it in from shadow file and i pasted it into the password file of the application. the application is nagios. this application allowed that... (5 Replies)
Discussion started by: SkySmart
5 Replies

4. Shell Programming and Scripting

Replace encrypted password in /etc/shadow using sed

Hello friends, We have encrypted password strings for all of our users (each user has different password). After creating users in Linux, we replace encrypted passwords manually on /etc/shadow so that their passwords directly work. Instead we want to do it using scripting. I tried with sed... (2 Replies)
Discussion started by: prvnrk
2 Replies

5. UNIX for Advanced & Expert Users

/etc/shadow encrypted password

Hi I wonder whether is possible to generate enrypted passwd for some user and paste it into /etc/shadow file ? What kind of encryption is used in /etc/shadow file ? ths for help. (1 Reply)
Discussion started by: presul
1 Replies

6. Shell Programming and Scripting

To decrypt encrypted password

Hi folks, What will be the easy way to decrypt encrypted passwords on MySQL table. Googling brought me many suggestions on crypt/decrypt running scripts. Please advise. TIA Remark: I think the encrypt function of MySQL uses the Unix crypt command to encrypt B.R. satimis (1 Reply)
Discussion started by: satimis
1 Replies

7. UNIX and Linux Applications

Accessing Oracle via encrypted password

Actually in my application there is an XML file. The password and the user name for the database that I need to access the development box is stored there. But using some UNIX command I am able to access the raw content of the file and not the decrypted code for that password. When I am applying... (3 Replies)
Discussion started by: nandumishra
3 Replies

8. UNIX for Dummies Questions & Answers

How to : Identify the the password is encrypted or not in /etc/shadow or /etc/passwd?

Thanks AVKlinux (11 Replies)
Discussion started by: avklinux
11 Replies

9. UNIX for Dummies Questions & Answers

Change password by pushing encrypted password to systems

I'm tasked to change a user's password on multiple Linux systems (RH v3). I though copying the encrypted password from one Linux /etc/shadow file to another would work but I was wrong. The long term solution is to establish an openLDAP Directory service, but for now I'm stuck with a manual... (1 Reply)
Discussion started by: benq70
1 Replies

10. UNIX for Advanced & Expert Users

netrc file encrypted password

Hi, I do not want the plaintext password to appear in the netrc file. So I want to encrypt the password. Is there a way to encrypt the password and still make ftp to use the netrc ? Thanks in advance. -Gow:confused: (2 Replies)
Discussion started by: ggowrish
2 Replies
Login or Register to Ask a Question