jbm@uncle.UUCP (John B. Milton) (12/08/88)
In article <5439@cbmvax.UUCP> ditto@cbmvax.UUCP (Michael "Ford" Ditto) writes: >In article <7059@chinet.chi.il.us> ignatz@chinet.chi.il.us (Dave Ihnat) writes: >>Before I waste my time re-inventing the wheel, I guess I'll ask here. > [ ... ] >>Has someone else taken this file apart? If not, it shouldn't be too >>outrageous, but I'd prefer not to duplicate effort. > >When I first looked at this file a long time ago, I was under the >impression that it only recorded failed login attempts, but since it >was definately modified when I logged in just now, I guess I was >wrong. It definitely does record unsuccessful attempts, though; >even unknown login names. > >Here's what I've been able to figure out from the file itself: > > struct pwcntl > { > char name[8]; /* name entered at login: */ > int uid; /* seems to be garbage for failed logins */ > char flag; /* always 'Y' or 'N', what does it mean? */ > /* char pad; */ > long last_login; /* last login attempt */ > long first_login; /* time when this entry was created */ > long unknown; /* always zero, what does it mean? */ > }; /* 26 bytes total */ > >Has anyone ever seen this file on anything other than a Unix PC? >Anyone with further observations/conclusions, please post! No, I have not seen this file on any other UNIX system. I think it was created especially for the UNIXpc. The major use for this file is maintaining users through the Ulogin program, which is run by the administration window stuff. The "flag" field is the "expert user" flag, from Ulogin. The unknown field is the "Space" field from the Ulogin screen, which shows disk space usage of each user. Unfortunately, it is only used internally by Ulogin, and so does not reflect values outside Ulogin. I think they intended to do more with this field, but never got around to it. The "pad" field seems to be just that. I can't find any reference to it in either login or Ulogin. It is probably some other kind of flag like the expert flag that never got used. If a user has been created by hand (not with Ulogin), an entry will be created the first time the user is logged in. If a user is created with Ulogin, the create time is set to then, with the first login set to 0. Everytime a user name is entered into login, pwcntl is updated BEFORE the password is CHECKED. Thus, ALL login attempts are recorded. For those of you who have a lot of public access, some of the attempts will be quite interesting. This makes pwcntl a good place to look for break-in attempts. A lot of typos and line noise "names" get entered here too. NOTE: If you run Ulogin stand-slone from the shell, be warned: It sends a "^[[=0w", which disables autowrap, send "^[[=1w" to turn it back on. If somebody whips up a util for dumping pwcntl, post it to unix-pc.sources l i n e s for rn John -- John Bly Milton IV, jbm@uncle.UUCP, n8emr!uncle!jbm@osu-cis.cis.ohio-state.edu (614) h:294-4823, w:764-2933; Got any good 74LS503 circuits?
jr@amanue.UUCP (Jim Rosenberg) (12/12/88)
In article <440@uncle.UUCP> jbm@uncle.UUCP (John B. Milton) writes: >For those of you who have a lot of >public access, some of the attempts will be quite interesting. This makes pwcntl >a good place to look for break-in attempts. A lot of typos and line noise >"names" get entered here too. Aaaaaaaarghhhhhhhhhh!!!! Until this discussion I'd never taken a look at /etc/pwcntl. When I did I nearly had a heart attack! On my system it was completely public. An od -c on this file revealed something in plain text that you don't wanna have *ANYWHERE*. Hint: Have you ever by mistake typed your password to the login: prompt? Of course, all UNIX users should be warned that typing your password to the login prompt can broadcast it; any user who might be doing a ps -fe at the time could see it. (Not on the 3b1, actually, since ps -fe on the 3b1 doesn't do the right thing. [Dammit!]) Little did I know that this gaffe leaves a PERMANENT record. A [formerly] public permanent record! I wasn't concerned that I might have compromised a password because I knew at the time I was the only user of the system. To all 3b1/7300 users: take a look at this doggoned file *TODAY*. You might find YOUR OWN PASSWORD (or worse!) staring you in the face. Yet another thing to add to the list of security problems on the 3b1. -- Jim Rosenberg CIS: 71515,124 decvax!idis! \ WELL: jer allegra! ---- pitt!amanue!jr BIX: jrosenberg uunet!cmcl2!cadre! /
ignatz@chinet.chi.il.us (Dave Ihnat) (12/14/88)
There's a reason I asked if anyone had the pwcntl information. After I got it (many thanks to net respondents), I spent about 4 hours last Sunday writing a utility to allow manipulation of this file; in particular, it can now be used to detect valid login activity (or inactivity) or failed login entries. The program provides the capability for an interactive examination, or examination and correction, session (full-screen)--in particular, this will allow you to correct invalid UIDs (reconciled from the /etc/passwd file, not the keyboard); delete (or, until the end of the session, undelete) entries (allows cleanup of failed login attempts); recalculate the space used on a per- entry basis while interactive, or a batch basis; provide a print listing of either all entries, or only bad ones (i.e., bad login or bad UID values). All the listed features have passed a series of tests by myself; all I've left to do is add some sorting options for the dump option (sort by date, sort by login name, I think should do it), and write the man page. Expect this in the next couple of days. (That is, if anyone really is interested...) -Dave Ihnat Analysts International Corp. ignatz@homebru.chi.il.us