Re: [SLE] how to see passwords
On Monday 07 April 2003 12:01, you wrote:
I'm root on our lan with around 50 users. How can I get a list of their passwords?
You don't. Well, you could try to run something John The Ripper against /etc/shadow Does that mean that I can't or I shouldn't?
You don't need to, as r00t, you can always su to them ;)
But I want to find out what their password was. Can I do that? Is there something which will hack into /etc/shadow and decipher it?
I tend to give them a good kicking[1] Yeah. Know how you feel.
On Monday 07 April 2003 12:15, fsanta wrote:
But I want to find out what their password was. Can I do that? Is there something which will hack into /etc/shadow and decipher it?
No there isn't. The strings in /etc/shadow aren't encrypted versions of the password, they are encrypted strings of zeros, with the password used as encryption key. It's a one way encryption. The best you can hope to do is use a tool that will test a large number of keys, and hope you find one that matches. James mentioned John the ripper, and there's also cracklib, which I believe SuSE use in their security check to find weak password.
Anders Johansson schrieb:
On Monday 07 April 2003 12:15, fsanta wrote:
But I want to find out what their password was. Can I do that? Is there something which will hack into /etc/shadow and decipher it?
Yes there is. Locate "JOHN" I used it on NT also. Works for ages tho. -- *º¤.,___,.¤º*¨¨¨*¤ =Oliver@home= *º¤.,¸¸¸,.¤º*¨¨*¤ I / __|__ http://www.bmw-roadster.de/Friends/Olli/olli.html I I / / |_/ http://www.bmw-roadster.de/Friends/friends.html I I \ \__|_\ http://groups.yahoo.com/group/VGAP-93 I I \___| mailto:VGAP-93-subscribe@yahoogroups.com I
Telek0ma iBBMS - moving house, but online! +49....TRSi1 <<<
On Monday 07 April 2003 11:15 am, fsanta wrote:
On Monday 07 April 2003 12:01, you wrote:
I'm root on our lan with around 50 users. How can I get a list of their passwords?
You don't. Well, you could try to run something John The Ripper against /etc/shadow
Does that mean that I can't or I shouldn't?
Shouldn't
You don't need to, as r00t, you can always su to them ;)
But I want to find out what their password was. Can I do that? Is there something which will hack into /etc/shadow and decipher it?
Why do you want to know what the password is? You know you can get to their data etc etc with su. The value of the password is the value of what is hidden behind it. So if you can get to the thing the password protects, the only value of the password is if a user is using the same password to protect something else for which you are not root... Are you dangerous to know? ;-) regards Vince Littler
Why do you want to know what the password is? You know you can get to their data etc etc with su. The value of the password is the value of what is hidden behind it. So if you can get to the thing the password protects, the only value of the password is if a user is using the same password to protect something else for which you are not root...
Are you dangerous to know? ;-)
Hopefully not :-o What I wanted to do was save time in reissuing passwords to those students who had lost or forgotten them. (see previous in thread where I had made a bad decision in NIS to allow them to change their passwords).
* fsanta
What I wanted to do was save time in reissuing passwords to those students who had lost or forgotten them. (see previous in thread where I had made a bad decision in NIS to allow them to change their passwords).
Assign their passwords yourself and direct them to use what you assigned. Gives you *complete* control and you do *not* have to try to break any more passwords. If I understand correctly your intent, this will/would solve your problems. -- Patrick Shanahan Please avoid TOFU and trim >quotes< http://wahoo.no-ip.org Registered Linux User #207535 icq#173753138 @ http://counter.li.org Linux, a continuous *learning* experience
At our place of employment we have over 500 users and yes some do forget
their passwords. I do/will not set passwords for them. I will set a
temporary password and force them to change it on their next login. We are
using SCO unix and it has a passwd parameter -f = force change at next
login. Does anyone on this list know if there is a simular command under
linux?
Also our passwords are set to expire every 6 months which causes users to
set a new password.
Ken
-----Original Message-----
From: Patrick Shanahan
* fsanta
[04-07-03 12:18]: What I wanted to do was save time in reissuing passwords to those
students who
had lost or forgotten them. (see previous in thread where I had made a bad decision in NIS to allow them to change their passwords).
Assign their passwords yourself and direct them to use what you assigned. Gives you *complete* control and you do *not* have to try to break any more passwords. If I understand correctly your intent, this will/would solve your problems. -- Patrick Shanahan Please avoid TOFU and trim >quotes< http://wahoo.no-ip.org Registered Linux User #207535 icq#173753138 @ http://counter.li.org Linux, a continuous *learning* experience
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
In Linux you can use the -e parameter to expire the password immediately and force the user to change the password on the next login. Avi On Monday, Apr 7, 2003, at 16:37 America/Chicago, Ken Schneider wrote:
At our place of employment we have over 500 users and yes some do forget their passwords. I do/will not set passwords for them. I will set a temporary password and force them to change it on their next login. We are using SCO unix and it has a passwd parameter -f = force change at next login. Does anyone on this list know if there is a simular command under linux?
Also our passwords are set to expire every 6 months which causes users to set a new password.
Ken -- Avi Schwartz avi@CFFtechnologies.com
''You can turn painful situations around through laughter. If you can find humor in anything, even poverty, you can survive it.'' - Bill Cosby
* Avi Schwartz
In Linux you can use the -e parameter to expire the password immediately and force the user to change the password on the next login.
Will not help in this case. User has forgotten his password. -- Patrick Shanahan Please avoid TOFU and trim >quotes< http://wahoo.no-ip.org Registered Linux User #207535 icq#173753138 @ http://counter.li.org Linux, a continuous *learning* experience
On Mon, Apr 07, 2003 at 07:01:22PM -0500, WideGlide@MyRealBox.com wrote:
* Avi Schwartz
[04-07-03 17:16]: In Linux you can use the -e parameter to expire the password immediately and force the user to change the password on the next login.
Will not help in this case. User has forgotten his password.
Well, it will, sort of. Basically, you can retrieve a password from the system. However, it takes quite a long time, since it basically involves a brute force attack by trying every possible value until you find one that works. If you've configured the system to use one of the more secure types of password (e.g. MD5), then it's much more difficult, and takes a lot more CPU power (possibly so much that it's impractical). There are shortcuts, such as trying dictionary words (and permutations thereof), birthdays, names, etc. first, but this is still a 'brute force' attack, albeit slightly more intelligent. The correct way to do this is as mentioned above. Make up a new password for the user, and give it to them. Log in as root, and change their password to this new value, but use the -e option to force it to expire immediately. They can then log in using the password you've just given them, but they have to change it straight away. That way, only *they* end up knowing their own password - you don't need to know it yourself, since you can su to their username from root without a password. If you're looking for speed, then you should just set a new password. trying to get back the old one will (should) take a long time. If you can crack their password very quickly, you need to educate your users to use more secure passwords. HTH... -- David Smith Work Email: Dave.Smith@st.com STMicroelectronics Home Email: David.Smith@ds-electronics.co.uk Bristol, England GPG Key: 0xF13192F2
Patrick Shanahan schrieb:
* Avi Schwartz
[04-07-03 17:16]: In Linux you can use the -e parameter to expire the password immediately and force the user to change the password on the next login.
Will not help in this case. User has forgotten his password.
You did not understand. What Avi is telling you is to set a new password for the user, tell this new pw to the user and having set it using the -e parm, the user is prompted automatically to change it next login. -- *º¤.,___,.¤º*¨¨¨*¤ =Oliver@home= *º¤.,¸¸¸,.¤º*¨¨*¤ I / __|__ http://www.bmw-roadster.de/Friends/Olli/olli.html I I / / |_/ http://www.bmw-roadster.de/Friends/friends.html I I \ \__|_\ http://groups.yahoo.com/group/VGAP-93 I I \___| mailto:VGAP-93-subscribe@yahoogroups.com I
Telek0ma iBBMS - moving house, but online! +49....TRSi1 <<<
On Monday 07 April 2003 12:01, you wrote:
I'm root on our lan with around 50 users. How can I get a list of their passwords?
You don't. Well, you could try to run something John The Ripper against /etc/shadow Does that mean that I can't or I shouldn't?
You don't need to, as r00t, you can always su to them ;)
But I want to find out what their password was. Can I do that? Is there something which will hack into /etc/shadow and decipher it?
When you log on your unix station, the password you enter is encrypted, then compared to the ecrypted password in /etc/shadow. It is not possible to know what the password was at the beginning, because the unix encrypt command is not reversible. Therefore, if you want to find out what the original password was, you need to do a dictionnay attack (basically try all possible paswords, or try at least the obvious ones first). This is what John The Ripper does. Thomas
participants (9)
-
Anders Johansson
-
Avi Schwartz
-
Dave Smith
-
fsanta
-
Ken Schneider
-
Oliver Ob [o.b./RSi/TRSi/NSD]
-
Patrick Shanahan
-
Thomas
-
Vince Littler