[opensuse] Weekly check for weak passwords? Where is it done?
Hello,
I do not know where/what program I installed that causes one system to
send emails weekly telling of insecure passwords. I have 20 systems
with the same rpm -qa list. One system weekly sends emails with a warning
of using insecure password. Only one system does it. I would like to
find out why only one of 20 systems does it. They are all using the same
passwd group shadow file. And if I can believe
# rpm -qa >> /tmp/allrpms-list
# for i in `cat system-names`; do scp -p $i:/tmp/allrpms-list
/tmp/allrpms-list.$i; diff /tmp/allrpms-list /tmp/allrpms-list.$i; done
Then there is not differences between the systems. I have been trying to
find what program is generating it and I have been unsucsessful. Can any
one tell me what rpm/program does this weekly check?
Thanks,
--
Boyd Gerber
I don't know about mailing, but couldn't you just cron the output of john? Boyd Lynn Gerber wrote:
Hello,
I do not know where/what program I installed that causes one system to send emails weekly telling of insecure passwords. I have 20 systems with the same rpm -qa list. One system weekly sends emails with a warning of using insecure password. Only one system does it. I would like to find out why only one of 20 systems does it. They are all using the same passwd group shadow file. And if I can believe
# rpm -qa >> /tmp/allrpms-list # for i in `cat system-names`; do scp -p $i:/tmp/allrpms-list /tmp/allrpms-list.$i; diff /tmp/allrpms-list /tmp/allrpms-list.$i; done
Then there is not differences between the systems. I have been trying to find what program is generating it and I have been unsucsessful. Can any one tell me what rpm/program does this weekly check?
Thanks,
-- Boyd Gerber
ZENEZ 1042 East Fort Union #135, Midvale Utah 84047 --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
I do not know where/what program I installed that causes one system to send emails weekly telling of insecure passwords. I have 20 systems with the same rpm -qa list. One system weekly sends emails with a warning of using insecure password. Only one system does it. I would like to find out why only one of 20 systems does it. They are all using the same passwd group shadow file. And if I can believe
CHeck the mail headers from which host it comes.
-`J' -- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Mon, 6 Nov 2006, Jan Engelhardt wrote:
I do not know where/what program I installed that causes one system to send emails weekly telling of insecure passwords. I have 20 systems with the same rpm -qa list. One system weekly sends emails with a warning of using insecure password. Only one system does it. I would like to find out why only one of 20 systems does it. They are all using the same passwd group shadow file. And if I can believe
CHeck the mail headers from which host it comes.
I know the host that does the email. I know all the hosts that do not do
it. They all run seccheck
START_SECCHK=yes in /etc/sysconfig/seccheck
They all have john installed and when I run it does show the same
usernames with the weak passwords. What I can not figure out is why only
this one system generates the emails. They either all should or all not.
But this one system is the only one that does. I am stupped as to what is
different.
I have been going through /etc/sysconfig and all the files are the same
with the execptions of where they should be different because of system
names.
Thanks,
--
Boyd Gerber
I know the host that does the email. I know all the hosts that do not do it. They all run seccheck
START_SECCHK=yes in /etc/sysconfig/seccheck
They all have john installed and when I run it does show the same usernames with the weak passwords. What I can not figure out is why only this one system generates the emails. They either all should or all not. But this one system is the only one that does. I am stupped as to what is different.
JOHN is not used at all, and in fact, is not a rpm dependency for secchk. /usr/lib/secchk/checkneverlogin is the only file that contains the word 'weak', so I suppose the "bug" is there. This script does not use john, but uses "lastlog", and an administrator is free to not have any lastlog file in /var/log at all, which means "last logged in" events are not recorded at all. Or in short: The host where seccheck warns about weak passwords is ok, all the other hosts lack a /var/log/lastlog *OR* said users with "weak passwords" fulfill the following conditions (1) never changed their initial password AND (2) never logged in on that particular machine Since you replicate the password database (/etc/shadow or others), a user may change his "weak" password into a good one, without the host noticing. In other words, the script that checks for weak passwords (1) ASSUMES that you have to login ON THAT PARTICULAR MACHINE to change your password. (2) ASSUMES that once you have logged in to that particular machine you are going to change your password - which is a wrong assumption. Password change is often not enforced on first login. File a bug report for (2).
I have been going through /etc/sysconfig and all the files are the same with the execptions of where they should be different because of system names.
Thanks,
-- Boyd Gerber
ZENEZ 1042 East Fort Union #135, Midvale Utah 84047
-`J' -- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Mon, 6 Nov 2006, Jan Engelhardt wrote:
I know the host that does the email. I know all the hosts that do not do it. They all run seccheck
START_SECCHK=yes in /etc/sysconfig/seccheck
They all have john installed and when I run it does show the same usernames with the weak passwords. What I can not figure out is why only this one system generates the emails. They either all should or all not. But this one system is the only one that does. I am stupped as to what is different.
The file that generates the email is in /usr/lib/secchk. It is security-weekly.sh. Which is what I wanted to know. So thanks.
Since you replicate the password database (/etc/shadow or others), a user may change his "weak" password into a good one, without the host noticing.
In other words, the script that checks for weak passwords
(1) ASSUMES that you have to login ON THAT PARTICULAR MACHINE to change your password.
(2) ASSUMES that once you have logged in to that particular machine you are going to change your password - which is a wrong assumption. Password change is often not enforced on first login. File a bug report for (2).
The strange problem is that I ssh to the machine that send's me the email
daily. I do not use the KDE login. I have used it 3 times on this
machine. On one of the machines that does not send me an email I do log
on to it daily with ssh as well, but I do use the KDE login on it daily.
So I have my question answered. I wanted to know what program did it.
Now I just have to understand why one machine judges the exact same
password as OK on one machine but insecure on an other. At least I now
know what I am looking for.
Thanks,
--
Boyd Gerber
The strange problem is that I ssh to the machine that send's me the email
Running the session pam stack should be enough to touch /var/log/lastlog. (And even if it's not PAM, SSH will write to lastlog) -`J' -- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Monday 2006-11-06 at 07:13 +0100, Jan Engelhardt wrote:
JOHN is not used at all, and in fact, is not a rpm dependency for secchk.
I think it uses it if it is installed, or so says the weekly emails: | Password security checking not possible, package john not installed. Checking the scripts in 10.1, it is used both in the week and montly checks. The former sends an email to each user with an insecure password; the monthly check sends the list to root. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFFUmF7tTMYHG2NR9URAuOBAKCDasHQnOyumIJFkicPKSkQX3l07QCgkIy5 b/wgFyc9a7yz4LbYZbUT4S8= =/zyq -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2006-11-05 at 15:49 -0700, Boyd Lynn Gerber wrote:
I do not know where/what program I installed that causes one system to send emails weekly telling of insecure passwords. I have 20 systems with the same rpm -qa list. One system weekly sends emails with a warning of using insecure password. Only one system does it. I would like to find out why only one of 20 systems does it. They are all using the same passwd group shadow file. And if I can believe
Do you see something like this at the start? | This is an automated mail by the seccheck tool. If you want to disable | this service, set START_SECCHK=no in /etc/sysconfig/seccheck. It tells that it is the "seccheck tool", and indeed, there is a package of that name. It also tells the configuration setting that dissables it. It uses "john" for the password check part. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFFTnfYtTMYHG2NR9URArzxAJ40jF/AJun8eB0magrkBC+un2iIGACcDFFx PNWDm+XJ24qENP9g9uHKLYQ= =PoCv -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (4)
-
Boyd Lynn Gerber
-
Carlos E. R.
-
Jan Engelhardt
-
John Meyer