I've been trying to write php or perl code to generate the sha-512 password hashes in fedora. I've been unable to do the hashing which is encoded in the shadow file on fedora core 11. Does anyone have php or perl code which provides the hashing algorithm. (All of my attempts result in the encrypted hashing being longer than 86 character -- the length that crypt says the sha-512 should be)
The /etc/shadow file contains an id of $1$, $2$, $5$ or $6$ to show the encryption method used.A salt follows this,followed by the password hash.When a user is created and a password is set, a hash is RANDOMLY generated and used as the salt to the password hash. Everytime that user logs in, login checks /etc/shadow for the $id$ and salt and runs the password given by the user through the hash mechanism ($id$) using the salt in /etc/shadow.So basically does login look at /etc/shadow for the $id$ and salt to create a hash with which to compare to the /etc/shadow hash?question 2 - If my $id$ was $5$, which is sha256, how would i go about changing this? Like is there a shadow.conf or crypt.conf or something? Can i change it per user?
I noticed that our /etc/shadow file is readable on a patch I released for one of our in house linux boxes a while back ago. Could they use it to gain access the root account etc? Our passwords are all MD5 encrypted.
I am currently using [URL] to send and receive faxes at work. I need the faxes to be encrypted. They offer public key encryption with PGP 9.8.2 They just need my public key to be compatible with their PGP version. I found a few statements at the GPG site, which may not be true for newer versions of gpg: PGP, Inc. refuses to accept Elgamal keys of type 20 even for encryption.They only support type 16.PGP 5.x does not accept v4 signatures for data material but OpenPGP requests generation of v4 signatures for all kind of data, that's why GnuPG defaults to them. By default, GnuPG encrypts your secret key using the Blowfish symmetric algorithm. Older PGPs will only understand 3DES, CAST5, or IDEA symmetric algorithms. PGP doesn't do Elgamal signing keys at all, so they are not usable with any version. I attempt to avoid using trial and error here, because an incompatible key may provoke loss of crucial information. It is difficult to estimate how long it would take them/me to find out that the key provided was not compatible; but probably it would entail a significant loss for the business.
Today i was going through some of security guides written on linux .Under shadow file security following points were mentioned.1)The encrypted password stored under /etc/shadow file should have more than 14-25 characters.2)Usernames in shadow file must satisfy to all the same rules as usernames in /etc/passwd.3)password for application Username should display * if username is not locked.4)If a user is locked it should be displayed as ! as the first character in second field of shadow file.
Confusion for point 1 and 2:Now i m confused as why the encrypted password should be more than 14-25 characters.Also what rules to satisfy How to check it?Confusion for point 3 and 4:There are lot of users with * as second field i guess they are not locked but according to 4th point there are lot of users with ! as first characters.How would i check whether they are actually locked or not.I m posting the output of /etc/shadow and /etc/passwd files for the account.
I would like to grep all values other than encrypted password from /etc/shadow fileFor example,each line consists of 8 fields separated with :/The only thing that I want not to print out is the contents between first : and second : (encrypted password)
I am working on building a customized ISO image of a server based on linux. The thing is after the server is installed and run for the first time, three users have to be created for the various services to run properly. I want this to be automated. To achieve this what is was thinking is automatically enter the user entries in the /etc/passwd and /etc/shadow files through init scripts when the server starts for the first time after the installation. I tried creating user and assigning password in one of my machine, and the /etc/passwd and the /etc/shadow entries of this user I copied it into the other machine and tried login in on the other machine and everything worked fine. How I am trying to achieve this.
I want to know, how does changes happened in the encrypted password in /etc/shadow file , when user changing password . because user doesnot have access on that file
I recently mashed the passwd, shadow, gshadow, group files in my Fedora 12 installation. I was dumb and didn't take a copy of the originals and all I have is the originals from a Fedora 11 installation.
I have gotten over my inability to add SELinux users and am trying to write an SELinux module on my Fedora 10 machine, standard SELinux distribution. Most of it works just fine, but I've been having strange troubles with some policy interfaces--m4 expands them to numbers rather than valid SELinux policy language. Here's what I'm getting:
As far as I know all of these are valid policy interfaces (I've checked them up in their respective files, and they do exist and contain what appears to be valid policy). The last one I know because I went into seutil_read_src_policy and put its contents into the module rather than the macro itself. Now, I could do the same with files_search_etc, but really I'd like the top-level macro to just work. Does anyone know what is causing this problem? I'm certain I'm using correct syntax, unless there's a whitespace rule I'm not familiar with.
A secondary problem I have, generating warnings rather than errors, is that for some reason ' s are popping up in my expanded module, right after the end of expansions of some (but not all) macros that I've defined.
This is weird, today I updated my system and while trying to visudo from single user mode got
"cannot read /etc/shadow: Permission denied"
which kept me from doing anything until I switched to file permissions of 400 on shadow, then back. Is this being experienced by anyone else or just me? /etc/security/limits.conf doesn't seem like it wants to change in enforcing mode either and I can't find any alerts to provide clues on the situation.
I'm trying to setup ssh access on my Fedora 12 laptop. I get the following error message in /var/log/secure when I try to login from another machine using ssh and the login is denied:
Code:
sshd[3025]: error: Could not get shadow information for <user> sshd[3025]: Failed password for <user> from <ip> port <port> ssh2
If I do a 'setenforce 0' I can login and no error is logged.
I'm currently running tests on my SAM file on my XP partition. Partly because I want a password that is hard to crack, and also out of curiosity. While running John the Ripper (no options used) I'm noticing that there are 8 pasword hashes, yet only 4 users associated with WinXP. I know that JTR only does 7(?) characters when it check for a solution. Is the 8 hashes because it separates passwords longer than 7 into 2 hashes, and then cracks them individually as 2 parts? I did try googling this,
I'm trying to generate MD5 hashtext within gnome-terminal that will match that generated by PHP running on a live web server. However, when I hash the same text I get completely different results!
Could this be a character set problem? My terminal is running UTF-8, but even if I change it to ISO-8859-1, the hashtext that's generated is the same. Also tried using md5sum with a text file, saved in various character encodings, but still got the same [wrong] hashtext. I'm running Ubuntu 9.10, tried running the local hash in both gnome-terminal 2.28.1 and the CTRL+ALT+F1 console.
So, I had fun with this one the past week. I had an FC11 system running just fine. Then one day it would not boot - it was hung somewhere inside the init script of the initrd image. CTRL-ALT-DEL would reboot the system. Using grub editor, I could temporarily delete the initrd line and boot into the system OK. But what was going on?
mkinitrd was of no help to me. I even did a yum update, which got a new kernel, which also generated a new initrd - no joy. I extracted the initrd file system and edited the init script. I eventually hit on this tidbit: If I commented out this line:
daemonize --ignore-missing /bin/plymouthd and rebuild the initrd image - the system would finally at least tell me what the problem was: mount failed for selinuxfs on /selinux. No such file or directory.
So, I examine the root (the real root, not the initrd temporary root) - and sure enough, no /selinux. I make one and reboot. The system goes into a "targeted policy relabel" operation, reboots, and I am back in business - even with my original, unmodified, initrd.
I have no idea what happened to my /selinux directory, but I think the initrd "init" script needs to check for this directory's existance, and make it if necessary. Or at least report that it isn't there. In FC11 right now the system just HANGS without this directory being present, without any clue as to what the problem is!
I am moving my Linux server from Suse 10 to Ubuntu 9.04 and I moved the significant parts of /etc/shadow, /etc/passwd, and /etc/group over to Ubuntu 9.04. I am not able to login into the computer with the old accounts. The only problem I see is that the old accounts use Blowfish and DES to encrypt the passwords in /etc/shadow, and Ubuntu uses SHA512. If I change the passwords, the accounts will work. However; I have about 300 accounts to move, and I don't want to do that to all of them. I have tired Ubuntu Forums and talked to every linux expert I know, and no one has an answer.
########## some text text also includes empty lines ########## some more text ##########
Basically all sections are separated by 10 hashes and I need to somehow only print all lines in the last section (the "some more text" part in the example above"). I tried all kind of things with sed and awk but I didn't find any way to identify the last "section".
I need to manually convert an string ( like with echo ) to a DES crypt format to be inserted inside a /etc/shadow file, does anybody knows how can I do that?
Maybe there are some little tool that could handle that operation, well.. I don't know, hope someone can give me a hint on that.
Is there a guide somewhere that covers all the security module topics for Linux, somewhat from top to bottom. Such as LDAP TLS RSA secure auth... generating certs etc etc. All of it and how it all ties together. Sure I can find you should use this etc., or guides that don't explain much or how they work together to complete the sweet. TLD seems to suffer from the same thing that I just stated...
I'd like to know, if there is more recent ISO to be download to burn the FC11 Installation DVD. I could get around this Ndvidia graphic installation problem where I am getting a command line system only.
i just got a new internet connection from the local service provider. While installation, he insisted that i use my mobile number as the wpa password for the wifi. From what Ive heard, this is company policy. Im a little skeptical about this as ive read wpa is crackable using a dictionary if the password is in there. So i looked around and found the air-crack suite to test the security for my access point. As my password is only numeric, i couldn't find only a numeric dictionary to use with air-crack.
So, i would like to create a dictionary that has only 10 digits, and the first two digit should be "05", because thats what mobile numbers here start from. I would be really grateful if anyone could point me to a way to do this easily.
I am trying to write a remote access module. Is there any function in linux where I can give string (password entered by user) and compare it with the actual user password stored in /etc/shadow. Since the password is stored encrypted in /etc/shadow I cannot parse and compare. So I want some method to compare if my user entered the correct password..Is there any function for that..
I need to create a script that returns a list of the users who have never changed their password from /etc/shadow. As I know on linux there is a command "chage" used for find last password change.
am fiddling around using an AES encrypted password which is stored in passwd.txt:cat ../passwd/passwd.txt {AES}yTMWTrdbuPtCxikvv5udVDTQ70anBVVKvP+GPQEH1RY=Yet I like to interpret this password on the command line using svn checkout, so I do not have to type in my password ( which is visible on the command line):Exporting the variable SVNPASS reading it from the passwd.txt ( export SVNPASS=`cat <../passwd/passwd.txt`) won't work obviously as it interprets it as "text", so my question is, if there is a proper way to interpret this stored AES password so I can read it from the file?The alternative is to type in the password on the command line, but this needs to be invisible eitehr showing #, * or "hidden". the last option is described: http://www.tech-recipes.com/rx/278/h...-shell-script/
By default, as far as I know, Debian hashes passwords using a single application of md5 and stores them in /etc/shadow. [EDIT: apparently true for at least some Debian 5.0.x Lenny installations. By default, Debian 6.0.x Squeeze apparently uses SHA-512 with a salt which is a publically known 8 char string. MD-5 is generally agreed to be much too weak to use for cryptographic purposes; SHA-512 is thought to be much stronger. Even better would be to iterate the SHA-512 "hashing" many times. See the last page for how to do this, and how to check that it is working.]
But the md5 digest/hash is said to be insecure; several years ago a double application of sha256 digest / hash was said to be much better. Is there a way to implement that in Debian Squeeze?
