Password Problems


Have you ever had a user call and say she could not log in because the system wouldn't take her password? Is there something wrong, or did she forget the password? You could just reset it, but then your user blames Linux, and you blame the user. Maybe there really is a problem. How do you tell?

The encrypted password is a one-way encryption. The user enters a password when logging in. This password is used along with the two "salt" characters from /etc/shadow to encrypt the password. If this encrypted password matches the encrypted password in /etc/shadow, the authentication succeeds. This is done with the crypt(3) function. There is no method to take the encrypted password and reverse the process to learn the unencrypted password.

We want to offer a short program that takes salt characters and a clear text password as input and outputs the encrypted password. You tell the user her salt characters. She runs the program, passing the salt characters and password as input, and gives you the output. You can compare this to her encrypted password in /etc/shadow. If it doesn't match, the user doesn't know the correct password.[1]

#include <unistd.h> #include <crypt.h> #include <stdio.h> #include <stdlib.h> #include <errno.h> #include <strings.h> main(argc, argv)  int argc;  char *argv[];  { /* crypt_password.c takes two arguments. The first is comprised of 2 salt characters. The second field is the password which can be 8 characters. See the crypt(3) man page for details. */    if (argc ^= 3) {         printf(" USAGE: crypt_password SALT_CHARS PASSWORD \n\n");         return 1;     }        char salt[3];        char passwd[80];        strcpy(salt, argv[1]);        strcpy(passwd, argv[2]);        printf("%s\n", crypt(passwd, salt)); }


The program can be compiled with the following command:

gcc -o crypt_password -lcrypt crypt_password.c


Let's say a user calls with the complaint that a password no longer works.

sawnee login: dbadmin Password: Login incorrect sawnee login: dbadmin Password: Login incorrect


We run chage -l dbadmin to verify that the account isn't disabled:

# chage -l dbadmin Minimum:        0 Maximum:        99999 Warning:        7 Inactive:       -1 Last Change:            Feb 15, 2005 Password Expires:       Never Password Inactive:      Never Account Expires:        Never


The account is not expired. We may start to think the user just forgot the password. We can use the encrypt_password.c program to check. We need two pieces of information: the salt characters and the password.

The salt characters are the first two in the /etc/shadow password field. For dbadmin, the salt characters are f0. We can also look for a ! as the first character of the password, which would indicate the account is locked:

# grep dbadmin /etc/shadow dbadmin:f0OFhXhLSMWy6:12829:0:99999:7:::


The user takes her salt characters f0 and her password d9a9mi123 and tries them with crypt_password:

# ./crypt_password f0 d9a9mi123 f0MugCavWrWaE


We can't tell what the password is, but we learned it is not d9a9mi123.



Linux Troubleshooting for System Administrators and Power Users
Real World Mac Maintenance and Backups
ISBN: 131855158
EAN: 2147483647
Year: 2004
Pages: 129
Authors: Joe Kissell

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net