[opensuse] Weekly check for weak passwords? Where is it done?

newer
Suse mailing list relay listed at...

Boyd Lynn Gerber

5 Nov 2006 5 Nov '06

23:49

Hello, I do not know where/what program I installed that causes one system to send emails weekly telling of insecure passwords. I have 20 systems with the same rpm -qa list. One system weekly sends emails with a warning of using insecure password. Only one system does it. I would like to find out why only one of 20 systems does it. They are all using the same passwd group shadow file. And if I can believe # rpm -qa >> /tmp/allrpms-list # for i in `cat system-names`; do scp -p $i:/tmp/allrpms-list /tmp/allrpms-list.$i; diff /tmp/allrpms-list /tmp/allrpms-list.$i; done Then there is not differences between the systems. I have been trying to find what program is generating it and I have been unsucsessful. Can any one tell me what rpm/program does this weekly check? Thanks, -- Boyd Gerber ZENEZ 1042 East Fort Union #135, Midvale Utah 84047 --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Show replies by date

John Meyer

6 Nov 6 Nov

00:34

I don't know about mailing, but couldn't you just cron the output of john? Boyd Lynn Gerber wrote:

...

Hello,

I do not know where/what program I installed that causes one system to send emails weekly telling of insecure passwords. I have 20 systems with the same rpm -qa list. One system weekly sends emails with a warning of using insecure password. Only one system does it. I would like to find out why only one of 20 systems does it. They are all using the same passwd group shadow file. And if I can believe

# rpm -qa >> /tmp/allrpms-list # for i in `cat system-names`; do scp -p $i:/tmp/allrpms-list /tmp/allrpms-list.$i; diff /tmp/allrpms-list /tmp/allrpms-list.$i; done

Then there is not differences between the systems. I have been trying to find what program is generating it and I have been unsucsessful. Can any one tell me what rpm/program does this weekly check?

Thanks,

-- Boyd Gerber ZENEZ 1042 East Fort Union #135, Midvale Utah 84047 --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Jan Engelhardt

00:37

New subject: SPAM: Re: [opensuse] Weekly check for weak passwords? Where is it done?

...

I do not know where/what program I installed that causes one system to send emails weekly telling of insecure passwords. I have 20 systems with the same rpm -qa list. One system weekly sends emails with a warning of using insecure password. Only one system does it. I would like to find out why only one of 20 systems does it. They are all using the same passwd group shadow file. And if I can believe

CHeck the mail headers from which host it comes.

...

-`J' -- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Boyd Lynn Gerber

00:55

New subject: SPAM: Re: [opensuse] Weekly check for weak passwords? Where is it done?

On Mon, 6 Nov 2006, Jan Engelhardt wrote:

...

...
I do not know where/what program I installed that causes one system to send emails weekly telling of insecure passwords. I have 20 systems with the same rpm -qa list. One system weekly sends emails with a warning of using insecure password. Only one system does it. I would like to find out why only one of 20 systems does it. They are all using the same passwd group shadow file. And if I can believe

CHeck the mail headers from which host it comes.

I know the host that does the email. I know all the hosts that do not do it. They all run seccheck START_SECCHK=yes in /etc/sysconfig/seccheck They all have john installed and when I run it does show the same usernames with the weak passwords. What I can not figure out is why only this one system generates the emails. They either all should or all not. But this one system is the only one that does. I am stupped as to what is different. I have been going through /etc/sysconfig and all the files are the same with the execptions of where they should be different because of system names. Thanks, -- Boyd Gerber ZENEZ 1042 East Fort Union #135, Midvale Utah 84047 --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Jan Engelhardt

07:13

New subject: SPAM: Re: [opensuse] Weekly check for weak passwords? Where is it done?

...

I know the host that does the email. I know all the hosts that do not do it. They all run seccheck

START_SECCHK=yes in /etc/sysconfig/seccheck

They all have john installed and when I run it does show the same usernames with the weak passwords. What I can not figure out is why only this one system generates the emails. They either all should or all not. But this one system is the only one that does. I am stupped as to what is different.

JOHN is not used at all, and in fact, is not a rpm dependency for secchk. /usr/lib/secchk/checkneverlogin is the only file that contains the word 'weak', so I suppose the "bug" is there. This script does not use john, but uses "lastlog", and an administrator is free to not have any lastlog file in /var/log at all, which means "last logged in" events are not recorded at all. Or in short: The host where seccheck warns about weak passwords is ok, all the other hosts lack a /var/log/lastlog *OR* said users with "weak passwords" fulfill the following conditions (1) never changed their initial password AND (2) never logged in on that particular machine Since you replicate the password database (/etc/shadow or others), a user may change his "weak" password into a good one, without the host noticing. In other words, the script that checks for weak passwords (1) ASSUMES that you have to login ON THAT PARTICULAR MACHINE to change your password. (2) ASSUMES that once you have logged in to that particular machine you are going to change your password - which is a wrong assumption. Password change is often not enforced on first login. File a bug report for (2).

...

I have been going through /etc/sysconfig and all the files are the same with the execptions of where they should be different because of system names.

Thanks,

-- Boyd Gerber ZENEZ 1042 East Fort Union #135, Midvale Utah 84047

-`J' -- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Boyd Lynn Gerber

13:09

New subject: SPAM: Re: [opensuse] Weekly check for weak passwords? Where is it done? Question of program is solved. Understanding why is still under way. Thanks

On Mon, 6 Nov 2006, Jan Engelhardt wrote:

...

...
I know the host that does the email. I know all the hosts that do not do it. They all run seccheck

START_SECCHK=yes in /etc/sysconfig/seccheck

They all have john installed and when I run it does show the same usernames with the weak passwords. What I can not figure out is why only this one system generates the emails. They either all should or all not. But this one system is the only one that does. I am stupped as to what is different.

The file that generates the email is in /usr/lib/secchk. It is security-weekly.sh. Which is what I wanted to know. So thanks.

...

Since you replicate the password database (/etc/shadow or others), a user may change his "weak" password into a good one, without the host noticing.

In other words, the script that checks for weak passwords

(1) ASSUMES that you have to login ON THAT PARTICULAR MACHINE to change your password.

(2) ASSUMES that once you have logged in to that particular machine you are going to change your password - which is a wrong assumption. Password change is often not enforced on first login. File a bug report for (2).

The strange problem is that I ssh to the machine that send's me the email daily. I do not use the KDE login. I have used it 3 times on this machine. On one of the machines that does not send me an email I do log on to it daily with ssh as well, but I do use the KDE login on it daily. So I have my question answered. I wanted to know what program did it. Now I just have to understand why one machine judges the exact same password as OK on one machine but insecure on an other. At least I now know what I am looking for. Thanks, -- Boyd Gerber ZENEZ 1042 East Fort Union #135, Midvale Utah 84047 --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Jan Engelhardt

16:09

New subject: SPAM: Re: [opensuse] Weekly check for weak passwords? Where is it done? Question of program is solved. Understanding why is still under way. Thanks

...

The strange problem is that I ssh to the machine that send's me the email

Running the session pam stack should be enough to touch /var/log/lastlog. (And even if it's not PAM, SSH will write to lastlog) -`J' -- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Carlos E. R.

9 Nov 9 Nov

00:00

New subject: SPAM: Re: [opensuse] Weekly check for weak passwords? Where is it done?

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Monday 2006-11-06 at 07:13 +0100, Jan Engelhardt wrote:

...

JOHN is not used at all, and in fact, is not a rpm dependency for secchk.

I think it uses it if it is installed, or so says the weekly emails: | Password security checking not possible, package john not installed. Checking the scripts in 10.1, it is used both in the week and montly checks. The former sends an email to each user with an insecure password; the monthly check sends the list to root. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFFUmF7tTMYHG2NR9URAuOBAKCDasHQnOyumIJFkicPKSkQX3l07QCgkIy5 b/wgFyc9a7yz4LbYZbUT4S8= =/zyq -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Carlos E. R.

6 Nov 6 Nov

00:46

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2006-11-05 at 15:49 -0700, Boyd Lynn Gerber wrote:

...

I do not know where/what program I installed that causes one system to send emails weekly telling of insecure passwords. I have 20 systems with the same rpm -qa list. One system weekly sends emails with a warning of using insecure password. Only one system does it. I would like to find out why only one of 20 systems does it. They are all using the same passwd group shadow file. And if I can believe

Do you see something like this at the start? | This is an automated mail by the seccheck tool. If you want to disable | this service, set START_SECCHK=no in /etc/sysconfig/seccheck. It tells that it is the "seccheck tool", and indeed, there is a package of that name. It also tells the configuration setting that dissables it. It uses "john" for the password check part. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFFTnfYtTMYHG2NR9URArzxAJ40jF/AJun8eB0magrkBC+un2iIGACcDFFx PNWDm+XJ24qENP9g9uHKLYQ= =PoCv -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

6385

Age (days ago)

6388

Last active (days ago)

List overview

Download

8 comments

4 participants

participants (4)

Boyd Lynn Gerber
Carlos E. R.
Jan Engelhardt
John Meyer