uaa1006@dircon.co.uk (Peter Miles) (05/06/91)
Does anyone know if it's possible to access the SCO UNIX password
generator from outside the 'passwd' command?
(The generator outputs a pronounceable, but non-real word for
more password security.)
I'm trying to put together a program for one of my clients which
will create new users accounts, but automatically assign a generated
password. My intention is to use addxusers to create the account
and then set the password with the generator output using the
passwd command and 'except', or something like that.
Thanks.
Pete
--
Pete Miles uaa1006@dircon.co.uk
...ukc!dircon!uaa1006jpr@jpradley.jpr.com (Jean-Pierre Radley) (05/14/91)
In article <1991May06.144015.17086@dircon.co.uk> uaa1006@dircon.co.uk (Peter Miles) writes: >Does anyone know if it's possible to access the SCO UNIX password >generator from outside the 'passwd' command? > >(The generator outputs a pronounceable, but non-real word for >more password security.) Since it's part of a binary program -- /bin/passwd --, I'd say the answer is no, unless you have a nice convenient way to disassemble /bin/passwd and extract just that part of the code. Jean-Pierre Radley Unix in NYC jpr@jpr.com jpradley!jpr CIS: 72160,1341
rac@sherpa.UUCP (Roger Cornelius) (05/18/91)
From article <1991May14.040042.15199@jpradley.jpr.com>, by jpr@jpradley.jpr.com (Jean-Pierre Radley): > In article <1991May06.144015.17086@dircon.co.uk> uaa1006@dircon.co.uk (Peter Miles) writes: >>Does anyone know if it's possible to access the SCO UNIX password >>generator from outside the 'passwd' command? > > Since it's part of a binary program -- /bin/passwd --, I'd say the answer is > no, unless you have a nice convenient way to disassemble /bin/passwd and > extract just that part of the code. It's possible if you have the development system installed. The following demonstrates (must link with -lprot): /* cut here */ #define SecureWare #include <sys/types.h> #include <sys/security.h> #include <sys/audit.h> #include <prot.h> #define MIN 5 #define MAX 10 main(ac,av) int ac; char **av; { char word[MAX], hyword[2*MAX]; long seed = time(0L); set_auth_parameters(ac,av); (void) randomword(word, hyword, MIN, MAX, 0, seed); (void) printf("NR word=%s, hyword=%s\n", word, hyword); (void) randomword(word, hyword, MIN, MAX, 1, seed); (void) printf("R word=%s, hyword=%s\n", word, hyword); } /* cut here */ -- Roger Cornelius rac@sherpa.UUCP uunet!sherpa!rac
martin@mwtech.UUCP (Martin Weitzel) (05/21/91)
In article <1991May14.040042.15199@jpradley.jpr.com> jpr@jpradley.jpr.com (Jean-Pierre Radley) writes: >In article <1991May06.144015.17086@dircon.co.uk> uaa1006@dircon.co.uk (Peter Miles) writes: >>Does anyone know if it's possible to access the SCO UNIX password >>generator from outside the 'passwd' command? >> >>(The generator outputs a pronounceable, but non-real word for >>more password security.) > >Since it's part of a binary program -- /bin/passwd --, I'd say the answer is >no, unless you have a nice convenient way to disassemble /bin/passwd and >extract just that part of the code. NOTE: The following may or may not be applicable to SCO UNIX, but here is just one subtlety you should consider if you ever think about password generators: Be sure that the period of the generated passwords is really BIG. E.g. if you take the 95 printing characters and use full length passwords (8 chars), you have 95 ^ 8 == 6 634 204 312 890 625 different passwords. On the other hand, if some generator is based on random `long int's, you'll probably end up with only 2 ^ 32 == 4 294 967 296 different passwords. Of course the generator will be seeded in a user specific way but that does not change its period! The important point here is that some intruder may prepare a list of encoded vs. clear text passwords and use it to break into your system. The time to compile and the size of such a list 1.5 millions larger in the former than in the latter case!! -- Martin Weitzel, email: martin@mwtech.UUCP, voice: 49-(0)6151-6 56 83