Recipe 9.1 Testing Login Passwords (John the Ripper)

9.1.1 Problem

You want to check that all login passwords in your system password database are strong.

9.1.2 Solution

Use John the Ripper, a password-cracking utility from the Openwall Project (http://www.openwall.com). After the software is installed, run:

# cd /var/lib/john # umask 077 # unshadow /etc/passwd /etc/shadow > mypasswords # john mypasswords

Cracked passwords will be written into the file john.pot. Cracked username/password pairs can be shown after the fact (or during cracking) with the -show option:

# john -show mypasswords

You can instruct john to crack the passwords of only certain users or groups with the options -users:u1,u2,... or -groups:g1,g2,..., e.g.:

# john -users:smith,jones,akhmed mypasswords

Running john with no options will print usage information.

9.1.3 Discussion

SuSE distributes John the Ripper, but Red Hat does not. If you need it, download the software in source form for Unix from http://www.openwall.com/john, together with its signature, and check the signature before proceeding. [Recipe 7.15]

Unpack the source:

$ tar xvzpf john-*.tar.gz

Prepare to compile:

$ cd `ls -d john-* | head -1`/src $ make

This will print out a list of targets for various systems; choose the appropriate one for your host, e.g.:

linux-x86-any-elf        Linux, x86, ELF binaries

and run make to build your desired target, e.g.:

$ make linux-x86-any-elf

Install the software, as root:

# cd ../run # mkdir -p /usr/local/sbin # umask 077 # cp -d john un* /usr/local/sbin # mkdir -p /var/lib/john # cp *.* mailer /var/lib/john

Then use the recipe we've provided.

By default, Red Hat 8.0 uses MD5-hashed passwords stored in /etc/shadow, rather than the traditional DES-based crypt( ) hashes stored in /etc/passwd; this is effected by the md5 and shadow directives in /etc/pam.d/system-auth:

password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shadow

The unshadow command gathers the account and hash information together again for cracking. This information should not be publicly available for security reasons that's why it is split up in the first place so be careful with this re-integrated file. If your passwords change, you will have to re-run the unshadow command to build an up-to-date password file for cracking.

In general, cracking programs use dictionaries of common words when attempting to crack a password, trying not only the words themselves but also permutations, misspellings, alternate capitalizations, and so forth. The default dictionary (/var/lib/john/password.lst) is small, so obtain larger ones for effective cracking. Also, add words appropriate to your environment, such as the names of local projects, machines, companies, and people. Some available dictionaries are:

ftp://ftp.ox.ac.uk/pub/wordlists/

ftp://ftp.cerias.purdue.edu/pub/dict/wordlists

Concatenate your desired word lists into a single file, and point to it with the wordlist directive in /var/lib/john/john.ini.

john operates on a file of account records, so you can gather the password data from many machines and process them in one spot. You must ensure, however, that they all use the same hashing algorithms compiled into the version you built on your cracking host. For security, it might be wise to gather your account databases, then perform the cracking on a box off the network, in a secure location.

There are other crackers available, notably Crack by Alec Muffet. [Recipe 9.2] We feature John the Ripper here not because it's necessarily better, but because it's simpler to use on Red Hat 8.0, automatically detecting and supporting the default MD5 hashes.

9.1.4 See Also

See the doc directory of the John the Ripper distribution for full documentation and examples.

Learn about Alec Muffet's Crack utility at http://www.cryptcide.org/alecm/security/c50-faq.html.

The Red Hat Guide to Password Security is at http://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/security-guide/s1-wstation-pass.html.