[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Automatic password changing

On Thu, Mar 23, 2000 at 10:38:54AM -0400, Peter Cordes wrote:

> > OTOH it's only going to take a wee fraction of a second to happen and it's
> > not as though everyone logs every process that happens...
> They might well do so if they knew the root password was getting changed by
> a cron job!  They would be looking for the path of the script/program that
> was doing it, and would probably fall out of their chair when they saw the
> encrypted root password right there.  OTOH, if you've got MD5 passwords, it
> won't help them unless you've got a dictionary-attack succeptible password.

MD5 or even crypt: as long as it's 1-way *and* it's a strong password (ie no
rule in any Crack program will match it) you'll be relatively safe. (Who would
resort to a simple brute-force on a string of unknown length when they can do
dictionary attacks?)

> Still, it's a bad thing.

My point is I'm trying to encourage a little thought as to *why* it might be a
bad thing, no more no less. (Even if it means playing devil's advocate a
little as well :)

> I'd make a script in /usr/local/sbin 
	| #!/usr/bin/perl -npi.bak /etc/shadow
	| s/^root:[^:]*:/root:pants/o

> (I think that works, I'm a perl beginner...  I don't know though, complex
> command lines in #! lines usually don't work with other things :(  )

Not quite. It seems to ignore the filename on the end of the #! line, and you
forgot my mod to make it do the right thing re: 'rest of line' :

	#!/usr/bin/perl -npi.bak


Next they'll be saying it's a bad thing to have the filename "/etc/shadow"
floating around in the process commandline .. ;)

| Geek Code: GCS dpu s-:+ a-- C++++ UBLUAVHSC++++ P+++ L++ E--- W+++(--) N++ 
| w--- O- M-- V-- PS PGP++ t--- X+(-) b D+ G e++(*) h++(*) r--- y-	     
| The sun is melting over the hills,         | http://piglet.is.dreaming.org/
| All our roads are waiting / To be revealed | piglet@glutinous.custard.org

Reply to: