ena@pyramid.UUCP (Eric Aubery) (02/08/85)
Here's a little shell script and program that test to see if any of the users on your system are joes. A joe is defined as someone who uses their login name as their password. The joes will be identified as being NOT SECURE. I was amazed that on all the systems I tried there was always at least one joe. On some there were as many as 20% joes. The shell scripts are identified as ATT for Bell derivatives, BSD for Berkely derivatives, and PYR for Pyramid dual universe systems. Well actually there all pretty similar. Format is shar archive: +++++++++++++++++++++++++ CUT HERE +++++++++++++++++++++++++++++++++++++ # -------- joetest.ATT -------- echo extracting file joetest.ATT cat \<\< THE_END \> joetest.ATT # /bin/sh TMP1=/tmp/jt$$ PSWD=${1-"/etc/passwd"} cut -d: -f1,2 $PSWD > $TMP1 ed - $TMP1 <<! 1,\$s/:/ / w q ! cat $TMP1 | while read PASS SEED do echo "$PASS \c" RESULT="`makekey $SEED $PASS`" if [ \( $? -eq 0 \) -a \( "$RESULT" = "$PASS $SEED" \) ] then echo NOT SECURE else echo SECURE fi done rm $TMP1 THE_END # -------- joetest.BSD -------- echo extracting file joetest.BSD cat \<\< THE_END \> joetest.BSD # /bin/sh TMP1=/tmp/jt$$ PSWD=${1-"/etc/passwd"} #cut -d: -f1,2 $PSWD > $TMP1 cp $PSWD $TMP1 chmod 777 $TMP1 ed - $TMP1 <<! 1,\$s/^\\(.*:.*\\):.*:.*:.*:.*:.*\$/\\1/ 1,\$s/:/ / w q ! cat $TMP1 | while read PASS SEED do # echo "$PASS \c" echo -n $PASS RESULT="`makekey $SEED $PASS`" if [ \( $? -eq 0 \) -a \( "$RESULT" = "$PASS $SEED" \) ] then echo NOT SECURE else echo SECURE fi done rm $TMP1 THE_END # -------- joetest.PYR -------- echo extracting file joetest.PYR cat \<\< THE_END \> joetest.PYR # /bin/sh TMP1=/tmp/jt$$ PSWD=${1-"/etc/passwd"} att cut -d: -f1,2 $PSWD > $TMP1 ed - $TMP1 <<! 1,\$s/:/ / w q ! cat $TMP1 | while read PASS SEED do att echo "$PASS \c" RESULT="`makekey $SEED $PASS`" if [ \( $? -eq 0 \) -a \( "$RESULT" = "$PASS $SEED" \) ] then echo NOT SECURE else echo SECURE fi done rm $TMP1 THE_END # -------- makekey.c -------- echo extracting file makekey.c cat \<\< THE_END \> makekey.c #include <stdio.h> char *crypt(); main(argc,argv) char *argv[]; { char key[80]; char *salt; int i,yes; if( argc < 3 ) { /* fprintf(stderr,"Usage makekey salt key\n"); */ exit(1); } salt = argv[1]; yes = 0; for(i=0;i<8;i++) if(yes || argv[2][i] == '\0') { key[i] = '\0'; yes++; } else key[i] = argv[2][i]; printf("%s %s\n",key, crypt(key, salt)); return(0); } THE_END echo Done with extraction -- Eric N. Aubery pyramid!ena { dual }!pyramid!ena Pyramid Technology Corporation, Mtn. View Califonia
al@mot.UUCP (Al Filipski) (02/14/85)
> Here's a little shell script and program that test to see if any of the > users on your system are joes. A joe is defined as someone who uses their > login name as their password. The joes will be identified as being Don't bother running this on System V.2. There are a lot more triviality checks in passwd(1) and, among other things, circular shifts of the login id are disallowed as passwords. -------------------------------- Alan Filipski, UNIX group, Motorola Microsystems, Tempe, AZ U.S.A {allegra | ihnp4 } ! sftig ! mot ! al {seismo | ihnp4 } ! ut-sally ! oakhill ! mot ! al -------------------------------- "O groin murder, wart bag icer gut. A nervous sausage bag ice ! " -- Ladle Rat Rotten Hut