Hi list, passwords again... I'm searching for a tool that generates many many passwords in a list, so that i can automatically assign them to users. thanx for your help... -- jan meyer sysadmin FH-Potsdam
Hi On Wed, Aug 09, 2000 at 05:19:27PM +0200, jan wrote:
I'm searching for a tool that generates many many passwords in a list, so that i can automatically assign them to users. There's a tool called 'pwgen' alex@joker:~# pwgen --secure 8 {Aff.wo%
Don't know, whether it is included with Suse (Debian:yes, Trustix:no). If not, seek for pwgen.tar.Z, an official homepage or something like that does not exist... MfG/Regards, Alexander -- Alexander Reelsen http://joker.rhwd.de ref@linux.com GnuPG: pub 1024D/F0D7313C sub 2048g/6AA2EDDB ar@rhwd.net 7D44 F4E3 1993 FDDF 552E 7C88 EE9C CBD1 F0D7 313C Securing Debian: http://joker.rhwd.de/doc/Securing-Debian-HOWTO
Hi again On Wed, Aug 09, 2000 at 05:47:51PM +0200, Alexander Reelsen wrote:
Don't know, whether it is included with Suse (Debian:yes, Trustix:no). If not, seek for pwgen.tar.Z, an official homepage or something like that does not exist... Silly me. Of course it is on every debian mirrorm i.e. get it at: ftp.rfc822.org/pub/mirror/ftp.debian.org/debian/dists/potato/main/source /admin/pwgen_1-15.tar.gz
MfG/Regards, Alexander P.S. To the mailinglist readers from ld-kiel.de (name slightly changed to protect the innocent), please reconfigure your "ChineseWall", slowly but surely I get annoyed about getting 2 emails per sent mail from your tool, what says, it finds "malicious" content in my mails. -- Alexander Reelsen http://joker.rhwd.de ref@linux.com GnuPG: pub 1024D/F0D7313C sub 2048g/6AA2EDDB ar@rhwd.net 7D44 F4E3 1993 FDDF 552E 7C88 EE9C CBD1 F0D7 313C Securing Debian: http://joker.rhwd.de/doc/Securing-Debian-HOWTO
There is also a somewhat less secure random password generator on ftp://ftp.netsys.com/len/makepw.c Len
On Wed, Aug 09, 2000 at 17:19 +0200, jan wrote:
I'm searching for a tool that generates many many passwords in a list, so that i can automatically assign them to users.
$ rpm -q -f $( which mkpasswd ) expect-5.22-16 This one will create mixed (alpha / numerical, upper / lower case) passwords of a given length and "difficulty" grade. And there are alternatives like dd(1)ing from /dev/random (and maybe translating them to something that can be typed in by mapping the binary stream to the 0x21-0x7E characters). virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
jan wrote:
Hi list,
passwords again...
I'm searching for a tool that generates many many passwords in a list, so that i can automatically assign them to users.
[SNIP] Hi, I have one - it's about 2kB gzipped, or just under 12kB uncompressed (nobody worry, I was not going to post it to the list). It is not idiot proof, and will blindly append to files, etc. (_don't_ run it as root!!!!). I haven't tested it extensively (since I just wrote it). It's in Perl (5.005_02), it isn't too pretty, but it will generate a list of random passwords for you -> mixed case letters, numbers and commas (,), newline delimited (\n). It would be pretty simple to expand the characters it uses, if needed. It could also be made much smaller, but I don't have the time right now. I can send it to you, if you are interested, as an email attachment. If a bunch of people are interested (and if _nobody_ objects, and if the SuSE people explicitly say it's ok), maybe I could post it to the list in sections or something. John
Hi, First, let me apologize to everyone I sent the first version of this program to. I've just had a chance to review the code, and all I can say is I am _really_ sorry. I have fixed the filename problem, and cut the program down to size. It follows: John PS - SuSE people: I am not going to make a habit of this. #####Begin Program #!/usr/bin/perl -w my $VERSION = 0.03; #This script is Copyright(c) 2000 John Pinder. All Rights Reserved. #Licensed under the same terms as Perl itself #This software comes with NO WARRANTY! #Written for Perl 5.005_02, on Linux 2.2.5 x86. # THIS SCRIPT GENERATES PASSWORDS USING PERL RAND() FUNCTION # randomness will depend on your RNG (/dev/random) use Getopt::Long; $help_test = "0";#keep help option happy, if not invoked: assign default value &GetOptions( "characters=i" => \$num_characters, "passwords=i" => \$num_passwords, "filename=s" => \$output_file, "help!" => \$help_test ); if ($help_test == "1") { print "Options are as follows:\n"; print " --characters=n n is the number of bases to generate, per sequence\n"; print " --passwords=n n is the number of sequences to generate\n"; print " --filename=_____ enter the filename you want to use, with NO extension\n"; print " --help this option prints this help screen.\n\n"; print "For example, password_gen --characters 8 --passwords 20 --filename Garbage.txt\n"; print "will generate a file named Garbage.txt, containing 20 passwords of 8 characters each\n\n"; exit; } srand; #for older Perl, use: srand ( time() - ($$ + ($$ << 15)) ) if $] < 5.004 @characters = qw( A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z 1 2 3 4 5 6 7 8 9 0 ! @ . ); $password_count = 0;#explicitly set to 0 (it's a counter, it counts sequences) while ($password_count < $num_passwords)# $num_seq is number of sequences to be generated { $password_count++; if ($password_count > 1) { open(OUT, ">>$output_file"); print OUT "\n"; close(OUT); } #explicitly set counters to 0 $character_counter = 0; while ($character_counter < $num_characters)# $num_passwords is (big surprise) the number of passwords to be generated { $character_counter++; open(OUT, ">>$output_file"); print OUT randselect( \@characters ); close(OUT); } } sub randselect { $_[0]->[rand @{ $_[0] } ] } #Thank you O'Reilly! #########End Program
* John Pinder wrote on Fri, Aug 11, 2000 at 02:03 -0700:
srand; sub randselect { $_[0]->[rand @{ $_[0] } ] } #Thank you O'Reilly!
mmm... If I see it right then you use rand as source of randomness only, ain't? This isn't always a nice idea, since the entrophy of rand may be low, and you have to note that i.e. a pid has usually only 16 bit (under some circumstances predictable) entrophy, and time() has a very few bits randomness only and should be predictable usually. It seems better for me, to use the tv.usec field returnd by gettimeofday() and/or collect some entrophy directly from the user. I made some programm that reads in keystrokes and uses the timeings between the keystrokes too. I used the following functions to collect entrophy. It's not really strong but obviously better than useing some time() get getpid() only. The value of "ps axww|gzip" should be a nice non-predictable thing too. I would be glad to get some comment about the following code, maybe I missed some important things? Here are the functions: sub keyboard_seed() { return 0 if ($NO_KEY_TYPEING); #do nothing if set #C would be better... ;-) my $time_sum=0; #"rotated" value for keystroke timings my $key_sum=0; #"rotated" value for keycodes my $rin=''; #select() bit vector vec($rin,fileno(STDIN),1) = 1; #construct STDIN select vector $r=$rin; #select-vector system "stty", '-icanon', '-echo', 'eol', "\001"; #set line discipline: non canonical mode no echo select(STDOUT); $|=1; #set STDOUT unbuffered print "I have to collect some enthropy. ", "I'll analyze you keyboard hits.\n"; print "Please hit 32 keys now: [", " " x 32, "]\n"; print " ---> "; for ($n=0; $n<32; $n++) { #32 keys my $one_time=0; #time between two keystrokes my $c=''; #1 byte input buffer while (($rin=$r,$nfound = select($rin, undef, undef, 0.01)) == 0) { #wait until data on STDIN $one_time++; #a time tick without data $one_time %= 2**8; #we take 4 bit only... } sysread(STDIN, $c, 1); #read char from STDIN print "*"; #just a mark #add some bits to sum: my $b4 = ((4 ** $n)%(2**16)); #max 2 bytes (factor) my $b6 = ((6 ** $n)%(2**16)); #max 2 bytes (factor) $time_sum = $time_sum + $one_time * $b4; #4 bits (a "shift" in) $key_sum = $key_sum + ( ord($c)-ord('0')) * $b6;#6 bits } print "\nENOUGH, Thank you!\n\n"; sleep 2; #now we have to flush input (for such users that type 33 chars :-) while (($rin=$r,$nfound = select($rin, undef, undef, 0)) != 0) { sysread(STDIN, $rin, 1); #trash input } #restore line discipline mode system "stty", 'icanon', 'echo', 'eol', '^@'; # ASCII null select(STDOUT); $|=0; #set line buffered mode my $seed = $time_sum ^ $key_sum ; #XOR timer and key longs printf " (Keyboard seed value: 0x%X [T:0x%X K:0x%X])\n", $seed, $time_sum, $key_sum unless($QUIET_MODE); return $seed; #pass seed to caller } sub rnd_init() { #calling srand with entrophy... #we "hash" some "ps" process info and collect enthropy from user open(OLDERR, ">&STDERR") or die "STDERR->OLDERR $!\n"; open(STDERR, ">/dev/null") or die "STDERR->/dev/null $!\n"; close(STDERR); #"redirect" STDERR; it seems that IT DOES NOT WORK CORRECTLY!! #$seed1 = (unpack "%L*", `find /proc -print | xargs cat gzip`); $seed1 = keyboard_seed(); $seed2 = (time ^ $$ ^ unpack "%L*", `ps axww | gzip`); $seed = $seed1 ^ $seed2; #next line DOES NOT WORK correctly at least under Solaris!!! open(STDERR, ">&OLDERR") or print OLDERR "OLDERR->STDERR $!\n"; close (OLDERR); printf " --> 32 bits enthropy: 0x%X <--\n", $seed unless ($QUIET_MODE); srand($seed); #set calculated seed } oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (6)
-
Alexander Reelsen
-
Gerhard Sittig
-
jan
-
John Pinder
-
Len Rose
-
Steffen Dettmer