Revised SUMMARY: Password generation

From: <Stan.Pietkiewicz_at_statcan.ca>
Date: Tue Jul 16 2002 - 10:37:37 EDT
It has been pointed out by a few sharp-eyed list members that there are a
few flaws with the script as it is presented:
1) There is no file locking for /etc/shadow.
2) The pattern matching for the username is too general.
3) The encryption seed may be guessable.
4) There is no error checking for the password substitution.

While this script was not intended to be absolutely fool-proof, it should be
a little more robust. The hazards of not knowing the tools used to implement
a fix are obvious...

Stan Pietkiewicz
Stan.Pietkiewicz@statcan.ca
Informatics Technology Services Division - Statistics Canada
It may be statistically possible that my opinion is the same
as someone else's - but it is still my opinion!

***************************************

Original Summary:

My apologies for the delayed summary, but I felt that a summary should
include the solution...;-})
Thanks for the many hints. With suggestions from several list members, the
following script was what our resident Perl programmer came up with:

***************

#!/usr/local/bin/perl

############################################################################
#
# Automated password change with password generator, to be run by root 
#
# Name:		chpass
# Params:	user - Name of the user whose password is to be changed
# Purpose:	Generate & Encrypt a new password. Encrypt so that the 
#		password can be placed directly in the shadow file.
# Return:	The unencrypted password
#
############################################################################

$shadow = "/etc/shadow";
$user = shift;						# User to change
password

@passwd = split /:/, &genpass;				# New password
$pwd = $passwd[1];					# Encrypted password

open SHADOW, $shadow || die "Could not open shadow";

@lines = <SHADOW>;					# Read in all lines
of the shadow file
foreach $line (@lines) {
    if ($line =~ /$user:/) {				# Match for desired
user ($user)
        $line =~ s/:(\w*|\W*)+:/:$pwd:/;		# Substitute
password with new one
    }
}

close SHADOW || die "Close failed";			# Close the original
shadow file

`chmod o+w $shadow`;					# Set permissions to
read only 

open SHADOW, ">" . $shadow || "Could not open shadow";
print SHADOW @lines;					# Print array to
temp shadow file.
close SHADOW || die "Close failed";

`chmod o-w $shadow`;					# Set permissions to
read only 

print $passwd[0], "\n";

############################################################################
#
# Name:		genpass
# Params:	(none)
# Purpose:	Generates a password and encrypt it so that the passwd 
#		field can be placed directly in the shadow file.
# Return:	Returns a string with the password and the encrypted string
#		separated by a semi-colon
#
############################################################################

sub genpass {
    srand(time() ^ ($$ + ($$ << 15)) );			# Sets seed for
random number
    $secret = "";					# Will hold
generated password

    while (! ($secret =~ /\w{10}/)) {			# Loop generates 10
characters
        $roll = int(rand 255);
        $char = chr($roll);

        if ($char =~ /\w{1}/) {
            $secret = $secret . $char;
        }
    }

    $passwd = substr($secret, 2,10);			# Actual password
    $salt = $secret;					# Used in the
encryption function

    return $passwd . ":" . crypt($passwd, $salt);	# Return string
}

exit;

*****************************************

Original question:

I am looking for a way to generate a password (ideally relatively difficult
to guess) within a script to run on a Solaris 2.6 machine. Any ideas on how
this could be done?

Thanks....

Stan Pietkiewicz
Stan.Pietkiewicz@statcan.ca
Informatics Technology Services Division - Statistics Canada
It may be statistically possible that my opinion is the same
as someone else's - but it is still my opinion!
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Tue Jul 16 11:02:29 2002

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:42:49 EST