Re: Automatic password changing
On Thu, Mar 23, 2000 at 10:38:54AM -0400, Peter Cordes wrote:
[me]
> > OTOH it's only going to take a wee fraction of a second to happen and it's
> > not as though everyone logs every process that happens...
>
> They might well do so if they knew the root password was getting changed by
> a cron job! They would be looking for the path of the script/program that
> was doing it, and would probably fall out of their chair when they saw the
> encrypted root password right there. OTOH, if you've got MD5 passwords, it
> won't help them unless you've got a dictionary-attack succeptible password.
MD5 or even crypt: as long as it's 1-way *and* it's a strong password (ie no
rule in any Crack program will match it) you'll be relatively safe. (Who would
resort to a simple brute-force on a string of unknown length when they can do
dictionary attacks?)
> Still, it's a bad thing.
My point is I'm trying to encourage a little thought as to *why* it might be a
bad thing, no more no less. (Even if it means playing devil's advocate a
little as well :)
> I'd make a script in /usr/local/sbin
| #!/usr/bin/perl -npi.bak /etc/shadow
| s/^root:[^:]*:/root:pants/o
> (I think that works, I'm a perl beginner... I don't know though, complex
> command lines in #! lines usually don't work with other things :( )
Not quite. It seems to ignore the filename on the end of the #! line, and you
forgot my mod to make it do the right thing re: 'rest of line' :
#!/usr/bin/perl -npi.bak
s/^root:[^:]*:(.*)$/root:pants:\1/o
Next they'll be saying it's a bad thing to have the filename "/etc/shadow"
floating around in the process commandline .. ;)
~Tim
--
| Geek Code: GCS dpu s-:+ a-- C++++ UBLUAVHSC++++ P+++ L++ E--- W+++(--) N++
| w--- O- M-- V-- PS PGP++ t--- X+(-) b D+ G e++(*) h++(*) r--- y-
| The sun is melting over the hills, | http://piglet.is.dreaming.org/
| All our roads are waiting / To be revealed | piglet@glutinous.custard.org
Reply to: