[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Automatic password changing

Thanks Tim ! :)

    So this line changes the root password ? Ok, the password has a nice length,
with upper and lower case, numbers and a couple simbols. Pretty solid ? Anyway, so
what does "perl -npi.bak -e 's/^root:[^:]*:/root:pants/o' /etc/shadow" actually
do, does it create a file, or is it this which appears in the cron ? Sorry for the
questions, I´m not quite iniciated in perl yet. So, if this does create a file,
what would I find in, say, cron.daily ? Thanks a lot for this information.

Much Respect

Tim Haynes wrote:

> On Wed, Mar 22, 2000 at 02:07:10AM -0800, Alexander Hvostov wrote:
>
> > That's a bad idea because it defeats the purpose of the password being there
> > to start with. You see, the password is ordinarily encrypted and kept under
> > tight safeguards, to make it hard to figure out what it is. If you were to
> > reset the password periodically, you would presumably have to store the
> > password without it being encrypted, which personally gives me the willies
> > because of its security implications, like someone being able to read your
> > password...
>
> Nope, as your next paragraph shows! :]
>
> > However, it _is_ possible to copy the password, in its encrypted form, from
> > a cron script, and copy it into its proper place in /etc/shadow. The problem
> > with this is that it would need a parser of one sort or another -- probably
> > a perl script. Ask someone else for this, but I still think it's a bad idea
> > security wise.
>
> You can do it with this
>
>         perl -npi.bak -e 's/^root:[^:]*:/root:pants/o' /etc/shadow
>
> and stick that in a cron job. (Change "pants" to the *encrypted* password you
> want remembering to escape dodgy punctuation!)
>
> Security-wise: It means there's one more place where the encrypted password is
> stored, and the permissions on that could & should be tight.
>
> Paranoia-wise: consider reading through all the rules in 'Crack' while you're
> at it, and design a password to defeat them (plenty of punctuation, numbers,
> mixed-case - better still, use 'pwgen') and use the encrypted form as above.
>
> HTH!
>
> ~Tim
> --
> | Geek Code: GCS dpu s-:+ a-- C++++ UBLUAVHSC++++ P+++ L++ E--- W+++(--) N++
> | w--- O- M-- V-- PS PGP++ t--- X+(-) b D+ G e++(*) h++(*) r--- y-
> | The sun is melting over the hills,         | http://piglet.is.dreaming.org/
> | All our roads are waiting / To be revealed | piglet@glutinous.custard.org

--
-------------------------------------------------------------
Neil D. Roberts ; Administrador De Sistemas; <neil@lander.es>
Lander World Communications Server S.L. / Integra España S.A.
Calle Rufino Gonzalez, Nº15 - 4ª Planta, Madrid, España 28037
Telefonos :  917.897.710  ;  902.363.363  Fax  :  913.042.044
Mensatel Beeper: Nº 940.331.331  ; Codigo Del Cliente : #NR10
PGP Print: 6228 6EEE C604 431A 70A9  84B7 E327 9CAF E59A 2709
-------------------------------------------------------------

aibohphobia, n., The fear of palindromes.
Reply to: