Security Incidents mailing list archives
Re: FW: 33 character encrypted passwords in /etc/shadow
From: Paul Gear <paulgear () bigfoot com>
Date: Sat, 29 Jun 2002 10:13:11 +1000
Mike Denka wrote:
Thanks for all the responses to my original query. It's pretty clear that I missed the md5 encryption on newer versions of Red Hat which is what got me sweating in the first place. Thanks also for all the suggestions for checking file integrity on Red Hat machines. Looks like rpm verification and tripwire are the only options next to having a non-connected machine with a fresh install somewhere to compare against. Too bad. Not that those are terrible options, but the Solaris Fingerprint database (http://sunsolve.sun.com/pub-cgi/fileFingerprints.pl) is a great tool. Maybe someday we'll have similar tools for our favorite open source O/S's. Mike
Mike, An MD5 checksum of the files is exactly what rpm -V does. All you have to do to get the same effect is keep a copy of your package files on read-only media (i.e. burn a CD and keep it in the machine), and run the rpm -Vp against it from cron each night. Obviously you'll have to update the CD each time a package is updated in the errata. A CD-RW disk would probably be good for this purpose (making sure it's mounted in a CD-ROM drive, not a burner) - matter of fact, i might try that next time i get a chance. :-) A simple workaround to Stephen's suggestion that the rpm command could have been modified is to keep a (preferably statically-linked) copy of the rpm executable on the CD and run that instead of the copy in /bin. Obviously, someone could remove your script from the cron configuration if the system was compromised, but there's no way of avoiding that. Regards, Paul
-----Original Message----- From: Stephen Smoogen [mailto:smoogen () lanl gov] Sent: Friday, June 28, 2002 9:42 AM To: Mike Denka Cc: incidents () securityfocus com Subject: Re: 33 character encrypted passwords in /etc/shadow If the 33 character passwords look like: $1$blahblahblahblahblah then the passwords are using M5sum instead of old DES passwords. Depending on the version of Red Hat Linux you are running this can come from using the authconfig command and turning on MD5sum passwords. If the password is in the form of $2$blahblahblahblahblah then it is a blowfish algorithm which I think only OpenBSD supports currently (but my data is old on this). The simplest way of checking your machine on Red Hat is to do a rpm -Va and look at the output. This checks the binaries on the system with what was listed in the RPM database. This is a very simple check and prone to being gotten around by good crackers. The next is to do the following: If the machine has a cdrom, and you have the original media.. mount the cdrom and do the following: rpm -Vp <name of RPM package on cdrom> # to see if they played with RPM so on my 7.3 machine: smoogen:{RPMS}$ rpm -qf /usr/bin/passwd passwd-0.67-1 root:{RPMS}# rpm -Vp passwd-0.67-1.i386.rpm This will give you assurance that the packages as installed from Red Hat Linux are there. However it will not tell you about packages/files that arent in RPM database... or if the rpm command itself had been altered..
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- 33 character encrypted passwords in /etc/shadow Mike Denka (Jun 28)
- Re: 33 character encrypted passwords in /etc/shadow zeno (Jun 28)
- Re: 33 character encrypted passwords in /etc/shadow Ben Boulanger (Jun 28)
- Re: 33 character encrypted passwords in /etc/shadow Stephen Smoogen (Jun 28)
- <Possible follow-ups>
- FW: 33 character encrypted passwords in /etc/shadow Mike Denka (Jun 28)
- Re: FW: 33 character encrypted passwords in /etc/shadow Paul Gear (Jun 29)