SUMMARY: passwd aging

From: Ian Lumb (ian@vortex.yorku.ca)
Date: Sat Jan 09 1993 - 07:59:56 CST


--1392560893-134143514-726561005:#5369
Content-Type: TEXT/PLAIN; charset=US-ASCII

Greetings Folks:-

Sorry for the delay in getting you my summary ...

Here's the original question:

> Is there a utility available that checks a user's password, let's them
> know when it is too old, and suggests that they should choose a new one?

I received 13 reponses (please see list below), and here's what I found:

. The suggestion that we ended up using here was stated by Jim Murff
(murff@irt.com), Christopher Nims <nims@Andersen.COM>, a local user, and
also Olivier MARCE <alf@lifac1.ens-cachan.fr> who wrote

> Trivial answer : read the passwd(1) man, especially the -x flag

Indeed many things in life are trivial - once you know how!

Annette Smith <laugh@life.dal.fsd.mot.com> provided a nice summary of
the passwd features which I have attached.

Before you get too excited though, Glenn Satchell
<ups!upstage!glenn@fourx.Aus.Sun.COM> cautions that

> Yep, it's built in to login and passwd(1), but there is a gotcha -
> password aging does not work with NIS passwd entries. It only works
> with entries in the local /etc/passwd. This is documented in the System
> and Network Manual (don't have one handy to check the page number). If
> you need this functionality with NIS then you need to purchase the ARM
> software from Sun.

as did Mike Raffety <miker@il.us.swissbank.com>

> SunOS includes password aging, but it won't work if you use NIS. Sun
> has an add-on product called SunShield, which makes password aging work
> with NIS, and a whole lot more in security (like making sure the password
> they choose isn't too obvious, auto-lockscreen, auto-logout, etc.). It's
> about US$3000 for a site license, and a bargain.

as well as Carmine Di Biase <carmine@usb.ve>

> The easiest way (I think) is to use NIS+, which comes with
> the new Solaris. Password aging works if you are not using the
> NIS services. NIS does not know about aging, NIS+ does

. Mike Jipping <jipping@cs.hope.edu> indicated that under SunOS 4.1.X
or later, passwd aging can be turned on by editing the /etc/passwd by
appending a field onto the password field, e.g.

     jipping:AbCdEfGhIjKlM,xx.xx:23:45:blah blah....
                          ^^^^^^
Have a look at Annette Smith's summary (attached) for more details on how
to implement this.

Kevin Sheehan {Consulting Poster Child} <ups!kevin@fourx.Aus.Sun.COM>
mentioned Sun SHIELD as did Scott Hayes
<scotteh@titan.wordperfect.com> who wrote

> Sun has some software called Sun SHEILD, ARM and ASET that can provide
> password aging and other security items.
>
> ARM handels the passwd stuff and ASET is a set of utils to monitor security
> and setup firewalls etc.

. Sun User Stephan <sd@walhalla.Germany.EU.net> suggested that I acquire
crack (the password cracker) to bash away at guessing user's passwords in
the /etc/passwd file. I located (with archie), installed and periodically
run crack routinely now. This was a very useful suggestion, and I have
attached this user's complete response below. I can also provide more info
on Crack.

Well, that's it. Many, many thanks to all respondees,

Ian.

--
Ian Lumb     Internet: <ian@vortex.yorku.ca>
Earth & Atmospheric Science, York University
North York, Ontario  M3J 1P3,  CANADA
Voice: (416) 736-5245; Fax: (416) 736-5817

Respondees:-

djm@blue.millipore.com Ukn Dec 12 04:36 94/4514 SUMMARY: Password prompt sd@germany.eu.net Ukn Dec 16 08:20 65/2459 Re: passwd aging jipping@cs.hope.edu Ukn Dec 16 06:32 44/1529 Re: passwd aging alf@lifac1.ens-cachan.fr Ukn Dec 16 04:32 20/801 Re: passwd aging upstage!glenn@fourx.Aus.Sun.COM Ukn Dec 16 03:50 72/2448 Re: passwd aging root@irt.com Ukn Dec 16 11:44 30/914 Re: passwd aging miker@il.us.swissbank.com Ukn Dec 16 11:25 25/1076 Re: passwd aging carmine@usb.ve Ukn Dec 16 11:06 30/1054 passwd aging nims@Andersen.COM Ukn Dec 16 10:35 56/1575 Re: passwd aging scotteh@titan.wordperfect.com Ukn Dec 16 13:42 25/773 ups!kevin@fourx.Aus.Sun.COM Ukn Dec 16 19:50 28/1071 Re: passwd aging cc_gucky@rcvie.co.at Ukn Dec 17 04:09 38/1431 Re: passwd aging laugh@dal.fsd.mot.com Ukn Dec 30 16:47 106/3569 Re: passwd aging

--1392560893-134143514-726561005:#5369 Content-Type: APPLICATION/octet-stream; name=laugh Content-ID: <Pine.3.05.9301090105.B5369@vortex.yorku.ca> Content-Description: summary of passwd's features

>From laugh@dal.fsd.mot.com Ukn Dec 30 16:47:16 1992 Return-Path: <laugh@dal.fsd.mot.com> Received: from motgate.mot.com by vortex.yorku.ca (4.1/SMI-4.1) id AA29708; Wed, 30 Dec 92 16:47:16 EST Received: from pobox.mot.com ([129.188.137.100]) by motgate.mot.com with SMTP (5.65c/IDA-1.4.4/MOT-2.6 for <ian@vortex.yorku.ca>) id AA18958; Wed, 30 Dec 1992 15:39:59 -0600 Received: from mailgate.dal.fsd.mot.com (dal.fsd.mot.com) by pobox.mot.com with SMTP (5.65c/IDA-1.4.4/MOT-2.6 for <ian@vortex.yorku.ca>) id AA26714; Wed, 30 Dec 1992 15:39:56 -0600 Received: from life.dal.fsd.mot.com by mailgate.dal.fsd.mot.com (5.61/Motorola/1.34) id AA02177; Wed, 30 Dec 92 21:37:32 GMT Received: by life.dal.fsd.mot.com (4.1/SMI-4.1) id AA01489; Mon, 28 Dec 92 10:54:25 CST Date: Mon, 28 Dec 92 10:54:25 CST From: laugh@dal.fsd.mot.com (Annette D. Smith) Message-Id: <9212281654.AA01489@life.dal.fsd.mot.com> To: ian@vortex.yorku.ca Subject: Re: passwd aging Status: RO X-Status:

I haven't seen a summary posted, so I'll try again... (since this has bounced twice.)

====>

Date: Mon, 21 Dec 92 10:39:53 CST From: laugh (Annette D. Smith) Message-Id: <9212211639.AA00492@life.dal.fsd.mot.com> To: ian@vortex.yorku.ca Subject: Re: passwd aging

Yes, there are two ways to implement passwd aging on the SunOS 4.1 and up. If a lower version of OS is running, only the second will work. If NIS is running, the commands must be entered on the NIS master, the maps remade & pushed.

1. passwd -e username This will expire the current password causing the user to issue a new one as soon as they log in. It will require the current password, prompt for a new one and will not continue until a valid password has been set. passwd -x # username # equals a number of days that the password will be valid before a new one must be entered.

passwd -n # username # equals the number of days that must pass before a user can change their passwd.

2. Aging can be set when the user account is created by entering a ,. (comma dot) in the password field of the /etc/passwd file. There is also a series of codes that can be placed after the comma to activate the time-out and the length-of-stay features. Although if the passwd -x or -n is much easer to use and manipulate. If you are running lower than 4.X, email back to me and I will forward the codes to you.

username:,.:UID:GID:COMMENT:HOME:EXECUTABLE

Annette Smith, Sun Project Manager laugh@life.dal.fsd.mot.com International Training Center _ (214) 888-2374 Motorola Field Service Division _/A\_% (214) 243-6664 fax =================================== (_____) ============================ Don't forget to laugh@life.. *,~ it's way too short as it is! =================================== `=' ============================

===> you sent

>From sun-managers-relay@ra.mcs.anl.gov Wed Dec 16 10:02:59 1992 Subject: passwd aging To: Sun Managers <sun-managers@eecs.nwu.edu> Message-Id: <Pine.3.05.9212151450.E9732-9100000@vortex.yorku.ca> Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Status: RO

Greetings:-

Is there a utility available that checks a user's password, let's them know when it is too old, and suggests that they should choose a new one?

I will summarize ...

TIA,

Ian.

-- Ian Lumb Internet: <ian@vortex.yorku.ca> Earth & Atmospheric Science, York University North York, Ontario M3J 1P3, CANADA Voice: (416) 736-5245; Fax: (416) 736-5817

--1392560893-134143514-726561005:#5369 Content-Type: APPLICATION/octet-stream; name=Crack Content-ID: <Pine.3.05.9301090105.C5369@vortex.yorku.ca> Content-Description: crack: the passwd cracker

>From sd@germany.eu.net Ukn Dec 16 08:20:29 1992 Return-Path: <sd@walhalla.Germany.EU.net> Received: from mail.Germany.EU.net by vortex.yorku.ca (4.1/SMI-4.1) id AA01235; Wed, 16 Dec 92 08:20:29 EST Received: from walhalla.Germany.EU.net (walhalla) by mail.Germany.EU.net with SMTP (5.65c/EUnetD-2.2.1.d) via EUnet for vortex.yorku.ca id PG27110; Wed, 16 Dec 1992 14:13:26 +0100 Message-Id: <9212161510.AA12133@walhalla.Germany.EU.net> To: Ian Lumb <ian@vortex.yorku.ca> From: Stephan Deutsch <sd@germany.eu.net> Subject: Re: passwd aging In-Reply-To: Message of Tue, 15 Dec 92 14:57:52 -0500. <Pine.3.05.9212151450.E9732-9100000@vortex.yorku.ca> Date: Wed, 16 Dec 92 14:10:53 GMT Sender: sd@walhalla.Germany.EU.net Status: RO X-Status:

Hello,

> Greetings:- > Is there a utility available that checks a user's password, let's them > know when it is too old, and suggests that they should choose a new one? > I will summarize ... > TIA, > Ian.

You should use crack to check the passwords of your users. As far as I know crack is the most powerful program to extract information from passwd files which can be used for intrusion.

Crack is using the passwd entry and will crypt its complete dictionaries to compare with te entries. Also all usual rules like:

- own name as password (forward, backward, partly capitalized) - Capitalisation of the first and/or last letter - etc.

will be checked by crack. Crack is also capable to operate through the network which is in my opinion a very powerful option.

You have to be aware, that all passwords detected by crack are security holes intruders can use to get into your system, because crack is PD and available on all important archive sites storing comp.sys.unix (I guess) crack was posted in.

On the other hand there is a package called COPS from the Computer Emergency Response team (CERT) which contains a program to ckeck passwd entries and a lot of things which can cause trouble.

If nothing of this will solve all your problems you have to program something yourself (networld will be thankful I guess :-)

Ciao Stephan

System-Administration,sd@Germany.EU.net,Tel.: +49 231 755 2444,Fax.:755 2386 Diese Signature wird gerade voellig neu ueberarbeitet... This signature will be changed to an absolutely new one... Ja sanimajuscia ss nowuem ssdjess nachoduem signaturuem... ...Da da eto plochaja russkaja jasuika...

--1392560893-134143514-726561005:#5369--



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:07:20 CDT