Re: Automatic password changing
On Wed, Mar 22, 2000 at 02:07:10AM -0800, Alexander Hvostov wrote:
> That's a bad idea because it defeats the purpose of the password being there
> to start with. You see, the password is ordinarily encrypted and kept under
> tight safeguards, to make it hard to figure out what it is. If you were to
> reset the password periodically, you would presumably have to store the
> password without it being encrypted, which personally gives me the willies
> because of its security implications, like someone being able to read your
> password...
Nope, as your next paragraph shows! :]
> However, it _is_ possible to copy the password, in its encrypted form, from
> a cron script, and copy it into its proper place in /etc/shadow. The problem
> with this is that it would need a parser of one sort or another -- probably
> a perl script. Ask someone else for this, but I still think it's a bad idea
> security wise.
You can do it with this
perl -npi.bak -e 's/^root:[^:]*:/root:pants/o' /etc/shadow
and stick that in a cron job. (Change "pants" to the *encrypted* password you
want remembering to escape dodgy punctuation!)
Security-wise: It means there's one more place where the encrypted password is
stored, and the permissions on that could & should be tight.
Paranoia-wise: consider reading through all the rules in 'Crack' while you're
at it, and design a password to defeat them (plenty of punctuation, numbers,
mixed-case - better still, use 'pwgen') and use the encrypted form as above.
HTH!
~Tim
--
| Geek Code: GCS dpu s-:+ a-- C++++ UBLUAVHSC++++ P+++ L++ E--- W+++(--) N++
| w--- O- M-- V-- PS PGP++ t--- X+(-) b D+ G e++(*) h++(*) r--- y-
| The sun is melting over the hills, | http://piglet.is.dreaming.org/
| All our roads are waiting / To be revealed | piglet@glutinous.custard.org
Reply to: