[TriLUG] Need to compare pw's

Tue Feb 13 00:43:13 EST 2007

Roy Vestal wrote:
> We're basically inventorying all our servers. Since these are in a devel
> lab, the users move the servers around (literally) sometimes, can
> rebuild their boxes on the fly (they loose our support), etc.
> 
> This will be part of our inventory process, to see *if* the passwords
> have been changed (i.e. rebuilt server so no longer under support)
> 
> I wish I could give more specifics, but due to the nature, I have to be
> pretty vague.
> 
> These servers are already part of NIS+, with local root.
> 
> Again, I don't want to make the passwords the same, just check to see if
> they are. purely inventory only.
> 
> jonc at nc.rr.com wrote:
>> Roy,
>>
>> Would it be sufficient if you made all the passwords the same?  You
>> could simply pick on of the servers and make it the Master (so to
>> speak). Copy it's hash to all the other unix boxen and then you'll know
>> that all the pw's are the same across boxen.
>>
>> You could also enable NIS logins and point everything to one Unix box.
>>
>> I can't think of any other easy way of making sure the pw's were the
>> same... outside of using a pw breaking app on each server and then
>> comparing.
>>
>> Good Luck - Jon
>>
>> ----- Original Message -----
>> From: Roy Vestal <rvestal at trilug.org>
>> Date: Monday, February 12, 2007 11:16 am
>> Subject: [TriLUG] Need to compare pw's
>> To: Triangle Linux Users Group discussion list <trilug at trilug.org>
>>
>>> Folks,
>>>  I need to compare passwords among differing *nix boxes. I need to
>>> verify the different hashes on the boxes and determine if they are
>>> the same or different. *I do NOT need to crack them!!*
>>>
>>> Does anyone know a simple procedure on comparing 2 passwords using
>>> the hashes? I can sed/grep/awk whatever to get the hashes out of the
>>> password files (names will *not* be given here for security
>>> purposes), but I'm not sure is a simple "if [ $a ne $b ] then..."
>>> will work.
>>>
>>> TIA,
>>> Roy
>>> -- 
>>> TriLUG mailing list        :
>>> http://www.trilug.org/mailman/listinfo/trilugTriLUG Organizational
>>> FAQ  : http://trilug.org/faq/
>>> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>>>
> 

Just to throw in a few cents.  The salt is one problem (and as people
have pointed out, it will stop you cold, when it comes to comparing the
passwords), but don't forget you might run into multiple hashing
algorithms, depending on how diverse your infrastructure is.

An alternate solution might be to setup a central repository, have
everyone come and punch in their passwords, and then use that as a
source to pass through crypt() on the various devices to see if they're
valid.  Of course, this only works with the willing consent and trust of
your users, and introduces it's own set of security problems.  It's
probably only reasonable if this is a low-security high-trust lab scenario.

I'm sure you've also considered that in the future, you might mark the
box in some way that indicates it's supported.  That could be the
presence of an account with a uniquely salted password that the user
doesn't know, that has to match for it to be supported (think, username:
supported, password set at install time to "you'restillinluck").  If you
can't login with that u&p, the owner has rebuilt the machine or tinkered
with it in some unacceptable fashion.  This doesn't help your current
situation, but might help you in the future.

Aaron S. Joyner