It has been pointed out by a few sharp-eyed list members that there are a few flaws with the script as it is presented: 1) There is no file locking for /etc/shadow. 2) The pattern matching for the username is too general. 3) The encryption seed may be guessable. 4) There is no error checking for the password substitution. While this script was not intended to be absolutely fool-proof, it should be a little more robust. The hazards of not knowing the tools used to implement a fix are obvious... Stan Pietkiewicz Stan.Pietkiewicz@statcan.ca Informatics Technology Services Division - Statistics Canada It may be statistically possible that my opinion is the same as someone else's - but it is still my opinion! *************************************** Original Summary: My apologies for the delayed summary, but I felt that a summary should include the solution...;-}) Thanks for the many hints. With suggestions from several list members, the following script was what our resident Perl programmer came up with: *************** #!/usr/local/bin/perl ############################################################################ # # Automated password change with password generator, to be run by root # # Name: chpass # Params: user - Name of the user whose password is to be changed # Purpose: Generate & Encrypt a new password. Encrypt so that the # password can be placed directly in the shadow file. # Return: The unencrypted password # ############################################################################ $shadow = "/etc/shadow"; $user = shift; # User to change password @passwd = split /:/, &genpass; # New password $pwd = $passwd[1]; # Encrypted password open SHADOW, $shadow || die "Could not open shadow"; @lines = <SHADOW>; # Read in all lines of the shadow file foreach $line (@lines) { if ($line =~ /$user:/) { # Match for desired user ($user) $line =~ s/:(\w*|\W*)+:/:$pwd:/; # Substitute password with new one } } close SHADOW || die "Close failed"; # Close the original shadow file `chmod o+w $shadow`; # Set permissions to read only open SHADOW, ">" . $shadow || "Could not open shadow"; print SHADOW @lines; # Print array to temp shadow file. close SHADOW || die "Close failed"; `chmod o-w $shadow`; # Set permissions to read only print $passwd[0], "\n"; ############################################################################ # # Name: genpass # Params: (none) # Purpose: Generates a password and encrypt it so that the passwd # field can be placed directly in the shadow file. # Return: Returns a string with the password and the encrypted string # separated by a semi-colon # ############################################################################ sub genpass { srand(time() ^ ($$ + ($$ << 15)) ); # Sets seed for random number $secret = ""; # Will hold generated password while (! ($secret =~ /\w{10}/)) { # Loop generates 10 characters $roll = int(rand 255); $char = chr($roll); if ($char =~ /\w{1}/) { $secret = $secret . $char; } } $passwd = substr($secret, 2,10); # Actual password $salt = $secret; # Used in the encryption function return $passwd . ":" . crypt($passwd, $salt); # Return string } exit; ***************************************** Original question: I am looking for a way to generate a password (ideally relatively difficult to guess) within a script to run on a Solaris 2.6 machine. Any ideas on how this could be done? Thanks.... Stan Pietkiewicz Stan.Pietkiewicz@statcan.ca Informatics Technology Services Division - Statistics Canada It may be statistically possible that my opinion is the same as someone else's - but it is still my opinion! _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagers _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Tue Jul 16 11:02:29 2002
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:42:49 EST