From owner-freebsd-security Thu Jun 7 12:10:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id 47FC537B40A for ; Thu, 7 Jun 2001 12:10:13 -0700 (PDT) (envelope-from rjh@mohawk.net) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.11.3/8.11.3) with ESMTP id f57JFcD09210; Thu, 7 Jun 2001 15:15:38 -0400 (EDT) Date: Thu, 7 Jun 2001 15:15:38 -0400 (EDT) From: Ralph Huntington To: David Miner Cc: "Karsten W. Rohrbach" , edwin chan , Olivier Nicole , freebsd-security@FreeBSD.ORG Subject: Re: Encrypted passwords In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I use "expect" and a script-generated script for encrypting the passwd. Here's the shell script my account-maker script generates and then runs to set the password. This happens after the account-maker script uses "pw" to make the actual user account (which puts a "*" in the passwd field). #!/usr/local/bin/expect set argv username spawn -noecho passwd [lindex $argv 0] expect "Changing local password for username." send "" expect "word:" send "PassWord\r" expect "word:" send "PassWord\r" expect eof Obviously, have your script replace "username" with the actual username and "PassWord" with the actual plaintext password. For security. have your script unlink the expect script after it has run. This just uses the "passwd" command non-interactively thanks to the expect utility. It may not be terribly elegant, but I use this every day and it works fine. I hope it's useful for you! Ralph On Thu, 7 Jun 2001, David Miner wrote: > On Thu, 7 Jun 2001, Karsten W. Rohrbach wrote: > > > a simple script using pwgen(1) from the ports collection to generate the > > cleartext password, using pw(8)'s instrumentation for passing a password > > to it via filehandle would simplify things a bit, i think. > > /k > > > It's not the generation of the passwords that is the problem. It's the > encryption. > > I put print statements into the program, created two users, and check > vipw. > > These are the outputs: > > entries in pwd.db: > > try-1:wUe7aHIXK/8O.:1260:1337::0:0:LIStry-1:/usr/try-1:/bin/csh > try-2:tgx8fwK0d6cQM:1261:1338::0:0:LIStry-2:/usr/try-2:/bin/csh > > Program output: > > Enter password file name: pw7 > Password file read > Enter path to home directories: /usr > Enter class name: try > Enter first number wanted: 1 > Enter number of users wanted: 2 > try-1 chock1 > > wUlVdJxRtry-1 /usr/try-1 wUe7aHIXK/8O. > chpass: updating the database... > chpass: done > try-2 chock1 > > tgtM0gIZtry-2 /usr/try-2 tgx8fwK0d6cQM > chpass: updating the database... > chpass: done > > Notice that the encrypted password from the program appears to be the same > as reported in vipw. But the user cannot login with the password. > > David > --------------------------------------------------------------------- > David R. Miner miner@lis.fsu.edu > Systems Integrator voice: 850-644-8107 > School of Information Studies fax: 850-644-6253 > Florida State University > Tallahassee, FL 32306-2100 > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message