ena@pyramid.UUCP (Eric Aubery) (02/08/85)
Here's a little shell script and program that test to see if any of the
users on your system are joes. A joe is defined as someone who uses their
login name as their password. The joes will be identified as being
NOT SECURE. I was amazed that on all the systems I tried there was always
at least one joe. On some there were as many as 20% joes. The shell scripts
are identified as ATT for Bell derivatives, BSD for Berkely derivatives,
and PYR for Pyramid dual universe systems. Well actually there all pretty
similar.
Format is shar archive:
+++++++++++++++++++++++++ CUT HERE +++++++++++++++++++++++++++++++++++++
# -------- joetest.ATT --------
echo extracting file joetest.ATT
cat \<\< THE_END \> joetest.ATT
# /bin/sh
TMP1=/tmp/jt$$
PSWD=${1-"/etc/passwd"}
cut -d: -f1,2 $PSWD > $TMP1
ed - $TMP1 <<!
1,\$s/:/ /
w
q
!
cat $TMP1 | while read PASS SEED
do
echo "$PASS \c"
RESULT="`makekey $SEED $PASS`"
if [ \( $? -eq 0 \) -a \( "$RESULT" = "$PASS $SEED" \) ]
then
echo NOT SECURE
else
echo SECURE
fi
done
rm $TMP1
THE_END
# -------- joetest.BSD --------
echo extracting file joetest.BSD
cat \<\< THE_END \> joetest.BSD
# /bin/sh
TMP1=/tmp/jt$$
PSWD=${1-"/etc/passwd"}
#cut -d: -f1,2 $PSWD > $TMP1
cp $PSWD $TMP1
chmod 777 $TMP1
ed - $TMP1 <<!
1,\$s/^\\(.*:.*\\):.*:.*:.*:.*:.*\$/\\1/
1,\$s/:/ /
w
q
!
cat $TMP1 | while read PASS SEED
do
# echo "$PASS \c"
echo -n $PASS
RESULT="`makekey $SEED $PASS`"
if [ \( $? -eq 0 \) -a \( "$RESULT" = "$PASS $SEED" \) ]
then
echo NOT SECURE
else
echo SECURE
fi
done
rm $TMP1
THE_END
# -------- joetest.PYR --------
echo extracting file joetest.PYR
cat \<\< THE_END \> joetest.PYR
# /bin/sh
TMP1=/tmp/jt$$
PSWD=${1-"/etc/passwd"}
att cut -d: -f1,2 $PSWD > $TMP1
ed - $TMP1 <<!
1,\$s/:/ /
w
q
!
cat $TMP1 | while read PASS SEED
do
att echo "$PASS \c"
RESULT="`makekey $SEED $PASS`"
if [ \( $? -eq 0 \) -a \( "$RESULT" = "$PASS $SEED" \) ]
then
echo NOT SECURE
else
echo SECURE
fi
done
rm $TMP1
THE_END
# -------- makekey.c --------
echo extracting file makekey.c
cat \<\< THE_END \> makekey.c
#include <stdio.h>
char *crypt();
main(argc,argv)
char *argv[];
{
char key[80];
char *salt;
int i,yes;
if( argc < 3 ) {
/* fprintf(stderr,"Usage makekey salt key\n"); */
exit(1);
}
salt = argv[1];
yes = 0;
for(i=0;i<8;i++)
if(yes || argv[2][i] == '\0') {
key[i] = '\0';
yes++;
}
else
key[i] = argv[2][i];
printf("%s %s\n",key, crypt(key, salt));
return(0);
}
THE_END
echo Done with extraction
--
Eric N. Aubery pyramid!ena
{ dual }!pyramid!ena
Pyramid Technology Corporation, Mtn. View Califoniaal@mot.UUCP (Al Filipski) (02/14/85)
> Here's a little shell script and program that test to see if any of the > users on your system are joes. A joe is defined as someone who uses their > login name as their password. The joes will be identified as being Don't bother running this on System V.2. There are a lot more triviality checks in passwd(1) and, among other things, circular shifts of the login id are disallowed as passwords. -------------------------------- Alan Filipski, UNIX group, Motorola Microsystems, Tempe, AZ U.S.A {allegra | ihnp4 } ! sftig ! mot ! al {seismo | ihnp4 } ! ut-sally ! oakhill ! mot ! al -------------------------------- "O groin murder, wart bag icer gut. A nervous sausage bag ice ! " -- Ladle Rat Rotten Hut