We are currently using a script to copy the same encrypted password between our HP-UX and Solaris servers editing the trusted and shadow files directly. The encrypted password is only 13 characters long on both servers and decrypts the same way. Is there a way to copy this same string to Linux servers?
The encrypted password in the shadow file on one of our Linux servers looks like this:
1$9EmV.jZO$YyfdtPT11aP3hE.jqX7Ve0
I've read the crypt 3 man page but I am not sure how to intrepret it. Any idea if its possible to replace 13 characters in this string to decrypt the same password?
Thanks Jim for the reply. The problem is that the encrypted password string on HP-UX and Solaris is 13 characters long. On Linux it is 34 characters long. I'm not sure if there are special meanings in these 34 characters or if it is just a 26 character salt or what. It would be nice if I could somehow figure out how to use the 13 character string somewhere in the Linux encryption.
We currently have an expect script to change passwords but it is painfully slow compared to the script I wrote for HP and Sun. I wanted to incorporate Linux into this script but cannot figure out how to do it.
The simple answer is to identify the most secure and compatible hashing algorithm supported by all three platforms, settle on this and alter the systems configurations to honor this algorithm and use it for future password generation. Then a method to generate the passwords for each user using the same salt on all three platforms could be devised along with a way to generate the users passwd/shadow entries and then a method to add these to password/shadow files on target systems.
All of this would be simplified to a great degree if central authentication was in use, ala LDAP or NIS, unless I'm misunderstanding. Otherwise it's a poor man's directory service
We use Vintella for central authorization but do not use it for root or application IDs. In an enterprise this big changing any hashing algorithms for passwords is not feasible.
It sounds like I'm SOL. I can create a different script to handle just the Linux servers but was really hoping to be able to do it in one script.
.For your root and appllication passwords you can always use expect or automated ssh to batch process passwd changes driving the native platforms passwd. I've used expect for this in the past.
proc manualChange {} {
global prompt spawn_id timeout
expect {
-i $spawn_id -re $prompt {
send_user "Logged in to host: $name as $username\n"
send "passwd\r\n"
expect -i $spawn_id -re ".*asswor.*" {
set new [getInput "Password change for $username on $name: "]
send "$new\r\n"
expect -i $spawn_id -re "\[Rr\]e.*asswor.*" {
send "$new\r\n"
expect -i $spawn_id -re "$prompt" { send_user "Password changed successfully for $name\n"
}
}
}
}
timeout {send_user "Timed out for spawn_id: $spawn_id\n"}
eof {send_user "Abnormal termination for spawn_id: $spawn_id"}
}
}
if {[llength $argv] < 2} {puts "Please provide:\n 1. username\n 2. list of hosts" ; exit}
set username [lindex $argv 0]
set hostlist [lrange $argv 1 [llength $argv]]
##main()
set prompt "[lindex $argv 0]@.*|.*[lindex $argv 0].*>|.*[lindex $argv 0].*#"
foreach name $hostlist {
if {![catch {eval spawn $loginprog $username@$name} err_spawn]} {
puts "Connecting to $name..."
expect {
-re $prompt {
send_user "Logged in to host: $name as $username\n"
send "passwd\r\n"
expect -i $spawn_id -re ".*asswor.*" {
set new [getInput "Password change for $username on $name: "]
send "$new\r\n"
expect -i $spawn_id -re "\[Rr\]e.*asswor.*" {
send "$new\r\n"
expect -i $spawn_id -re "$prompt" {
send_user "Password changed successfully for $name\n"
}
}
}
}
-re $pwprompt {
send_user "Log in manually and then press ^p to change password\n"
interact {
"^P" {manualChange}
}
}
timeout {send_user "Timed out waiting on $name\n"}
eof {send_user "Abnormal exit for connect() to host: $name\n"}
}
} else {
puts "ERROR: Connecting to host: $name = $err_spawn"
}
}
Using ssh-agent and keys this is a quick way to change passwords and also allows you to catch hosts without keys, etc...
HTH.