OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Ralph Huntington (rjhmohawk.net)
Date: Thu Jun 07 2001 - 14:15:38 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I use "expect" and a script-generated script for encrypting the passwd.
    Here's the shell script my account-maker script generates and then runs to
    set the password. This happens after the account-maker script uses "pw" to
    make the actual user account (which puts a "*" in the passwd field).

    #!/usr/local/bin/expect
    set argv username
    spawn -noecho passwd [lindex $argv 0]
    expect "Changing local password for username."
    send ""
    expect "word:"
    send "PassWord\r"
    expect "word:"
    send "PassWord\r"
    expect eof

    Obviously, have your script replace "username" with the actual username
    and "PassWord" with the actual plaintext password. For security. have your
    script unlink the expect script after it has run.

    This just uses the "passwd" command non-interactively thanks to the expect
    utility. It may not be terribly elegant, but I use this every day and it
    works fine. I hope it's useful for you!

            Ralph

    On Thu, 7 Jun 2001, David Miner wrote:

    > On Thu, 7 Jun 2001, Karsten W. Rohrbach wrote:
    >
    > > a simple script using pwgen(1) from the ports collection to generate the
    > > cleartext password, using pw(8)'s instrumentation for passing a password
    > > to it via filehandle would simplify things a bit, i think.
    > > /k
    > >
    > It's not the generation of the passwords that is the problem. It's the
    > encryption.
    >
    > I put print statements into the program, created two users, and check
    > vipw.
    >
    > These are the outputs:
    >
    > entries in pwd.db:
    >
    > try-1:wUe7aHIXK/8O.:1260:1337::0:0:LIStry-1:/usr/try-1:/bin/csh
    > try-2:tgx8fwK0d6cQM:1261:1338::0:0:LIStry-2:/usr/try-2:/bin/csh
    >
    > Program output:
    >
    > Enter password file name: pw7
    > Password file read
    > Enter path to home directories: /usr
    > Enter class name: try
    > Enter first number wanted: 1
    > Enter number of users wanted: 2
    > try-1 chock1
    >
    > wUlVdJxRtry-1 /usr/try-1 wUe7aHIXK/8O.
    > chpass: updating the database...
    > chpass: done
    > try-2 chock1
    >
    > tgtM0gIZtry-2 /usr/try-2 tgx8fwK0d6cQM
    > chpass: updating the database...
    > chpass: done
    >
    > Notice that the encrypted password from the program appears to be the same
    > as reported in vipw. But the user cannot login with the password.
    >
    > David
    > ---------------------------------------------------------------------
    > David R. Miner minerlis.fsu.edu
    > Systems Integrator voice: 850-644-8107
    > School of Information Studies fax: 850-644-6253
    > Florida State University
    > Tallahassee, FL 32306-2100
    >
    >
    >
    > To Unsubscribe: send mail to majordomoFreeBSD.org
    > with "unsubscribe freebsd-security" in the body of the message
    >

    To Unsubscribe: send mail to majordomoFreeBSD.org
    with "unsubscribe freebsd-security" in the body of the message