Re: password encryption (972 Views)
Reply
Frequent Advisor
tempsample
Posts: 100
Registered: ‎06-20-2013
Message 1 of 16 (1,023 Views)
Accepted Solution

password encryption

I was successfull in encrypting the password in v3 using

 

/usr/sbin/usermod -p $(perl -e"print crypt('user1123','xxxxxxxx')") -F testid19

 

but -p option is available only in HP-UX 11 i v3.

 

but i have to change user password in HP-UX 11i v1 and v2.

 

Is there any option ???

Honored Contributor
Patrick Wallek
Posts: 13,786
Registered: ‎06-21-2000
Message 2 of 16 (1,020 Views)

Re: password encryption

On HP-UX 11.11 and 11.23 try using the /usr/sam/lbin/usermod.sam command.

 

The syntax is a bit different, but it will still work.

 

# ./usermod.sam -?
Unrecognized Option '?'
Usage: usermod.sam [-p <passwd> [-u <uid> [-o]] [-g <group> [-G <group>[,<group...> [-d <dir> [-m]] [-s <shell>] [-c <comment>] [-f <inactive>] [-e <expire>] [-l <new logname>] <login>

 

Where the '-p <passwd>' is the encrypted password.  For example:

 

# /usr/sam/lbin/usermod.sam -p abc123 pwallek

 

# cat /tcb/files/auth/p/pwallek
pwallek:u_name=pwallek:u_id#122:\
:u_pwd=abc123:\
:u_auditid#48:\
:u_auditflag#1:\
:u_succhg#1364840922:u_suclog#1364840930:u_suctty=pts/ta:u_unsuclog#1364840900:\
:u_unsuctty=pts/ta:u_lock@:chkent:

 

And notice that my encrypted password is now abc123.

 

 

Frequent Advisor
tempsample
Posts: 100
Registered: ‎06-20-2013
Message 3 of 16 (1,015 Views)

Re: password encryption

HI

 

 

I have tried using below and successfull,but i am not sure what is the use of 66 in password.

 

#export user=testuser
# export pass=testuser66
# /usr/sam/lbin/usermod.sam -p `echo $pass | /usr/lbin/makekey` $user

 

without using 66 in passowrd, I am not successful..

 

what is the use of 66 ?

Frequent Advisor
tempsample
Posts: 100
Registered: ‎06-20-2013
Message 4 of 16 (1,014 Views)

Re: password encryption

Hi

 

/usr/sam/lbin/usermod.sam -p abc123 pwallek

 

but when i tried above option, the password is not getting encrypted and when i check the status with passwd -s username,still user account is locked.

 

I am not using trusted system.

Frequent Advisor
tempsample
Posts: 100
Registered: ‎06-20-2013
Message 5 of 16 (1,010 Views)

Re: password encryption

Hi

 

 

#/usr/sam/lbin/usermod.sam -p abc123 testuser
# passwd -s testuser

testuser  LK    06/20/13    0  91

 

 

password status is still locked.

 

I am not able to login.

Honored Contributor
Patrick Wallek
Posts: 13,786
Registered: ‎06-21-2000
Message 6 of 16 (1,007 Views)

Re: password encryption

In my post above, I said -- Where the '-p <passwd>' is the encrypted password.

 

You have to pass the encrypted password to the command.  This command does NOT encrypt the password for you.

 

My example with my id was to show that the string passed to the '-p' option would show up EXACTLY the same in the password field which means NO encryption is done. 

Frequent Advisor
tempsample
Posts: 100
Registered: ‎06-20-2013
Message 7 of 16 (990 Views)

Re: password encryption

# /usr/sam/lbin/usermod.sam -p `echo ABcd@123466 | /usr/lbin/makekey` testuser

 

what is the use of 66 in password filed.

 

 

when i leave out 66,i am not successful .

 

and when i use 66 in password field ,i am successful and the password set is ABcd@1234

 

but 66 is not taken in to password filed.

 

what is the reason.

 

 

 

 

Acclaimed Contributor
Dennis Handly
Posts: 25,274
Registered: ‎03-06-2006
Message 8 of 16 (983 Views)

Re: password encryption (makekey)

>echo ABcd@123466 | /usr/lbin/makekey

 

makekey(1) says the first 8 chars are the password and the next two are the salt.

Frequent Advisor
tempsample
Posts: 100
Registered: ‎06-20-2013
Message 9 of 16 (979 Views)

Re: password encryption (makekey)

HI Dennis,

 

 

I do read the man page .. Thanks for info.

 

but My problem is ,, I am trying to change the password by script.

 

USERNAME=$1
PASSWD=$2

echo "------------------------------------------------------------" >> ${PWD2LOG}
echo "Start : `date +\"%Y/%m/%d %H:%M:%S\"` \n" >> ${PWD2LOG}

WORKDAY=`date +%Y%m%d`

echo "User : ${USERNAME}   Pass : ${PASSWD}\n" >> ${PWD2LOG}
#echo $USERNAME
#echo $PASSWD
#sleep 5
if [ "${USERNAME}" != "" ];then
if [ "${PASSWD}" != "" ];then

echo "Crypting the given password"  >> ${PWD2LOG}

#/usr/sbin/usermod -p $(perl -e"print crypt('$PASSWD','xxxxxxxx')") -F $USERNAME


/usr/sam/lbin/usermod.sam -p `echo $PASSWDlb | /usr/lbin/makekey` $USERNAME

 

if [ $? != 0 ];then
echo "\nERROR. PASSWD change faild" >> ${PWD2LOG}
echo "return 1" >> ${PWD2LOG}
RTNCODE=1
echo  "`hostname`: ERROR. PASSWD change failed"
else
echo  "\n Passwd Set OK." >> ${PWD2LOG}
echo "return 0" >> ${PWD2LOG}
#RTNCODE=0
echo  "`hostname`: Passwd Set OK." >> ${PWD2LOG}
RTNCODE=0
#echo "0"
fi
else
echo  "\nERROR.  PASSWD param not set" >> ${PWD2LOG}
echo "return 1" >> ${PWD2LOG}
RTNCODE=1
echo  "`hostname`: ERROR. PASSWD param not set"
fi
else
echo "\nERROR. USER param not set" >> ${PWD2LOG}
 echo "return 1" >> ${PWD2LOG}
    RTNCODE=1
      echo "`hostname`: ERROR. USER param not set"
      fi
      echo "\n End  : `date +\"%Y/%m/%d %H:%M:%S\"`" >> ${PWD2LOG}
echo "------------------------------------------------------------" >> ${PWD2LOG}
exit 0

 

 

in /usr/sam/lbin/usermod.sam -p `echo $PASSWDlb | /usr/lbin/makekey` $USERNAME

 

when I am executing it manually, I am sucessfull and account is able to log in the server.

 

but when i am trying to use it across script,account is still locked.

 

since i guess there is some mistake in exporting the password filelds .

 

any suggestion to fix the issue.

Honored Contributor
Matti_Kurkela
Posts: 6,271
Registered: ‎12-02-2001
Message 10 of 16 (972 Views)

Re: password encryption

The traditional crypt(3C) Unix password encryption (= what the makekey command does) is technically known as a type of "salted hash".

 

The "salt" is a value used to modify the encryption process, to make it harder to reverse. The salt should usually be chosen randomly when the password is encrypted for storage.


The crypt(3C) algorithm takes a maximum of 8 characters as a password + 2 characters of salt.

So in your example, the password will be "ABcd@123", the salt will be "46" and the extra "6" at the end will simply be ignored.

(You could have replaced the "66" in your example with just "6" and still would have got the same result. The makekey command wants exactly 10 characters: if it gets less than that, it will fail. If it gets more than that, it gets the first 10 and ignores the rest.)

 

For each different salt value, the password will be encrypted in a different way. So it will be hard to confirm if someone else has the same password as you by simply comparing the encrypted passwords: if that other person has a different salt value, then the encryption result will be totally different, even if the actual password is the same.


Since the crypt(3C)-style password encryption is not effectively reversible, the password cannot be decrypted for checking. Instead, when the user enters his/her password into the password prompt at login, the user-entered password will also be encrypted, and then the encryption result will be compared with the stored encrypted password. But to make this comparision valid, the user-entered password must be encrypted using the same salt value as the stored password.

To make this possible, the salt must be stored unencrypted: it will be the first two characters in the encrypted password field.

 

I don't have a HP-UX system available at the moment, so I don't have the "makekey" command. But modern versions of OpenSSL also have a password encryption function, which handles several well-known password algorithms, including crypt(3C):

 

$ openssl passwd -crypt -salt 46 ABcd@123
46Qtr3Dtgy0u6

I think this is exactly the same as the value you got from the "makekey" command in your example, right?

As you can see, the salt appears unencrypted at the beginning of the encrypted result. This command makes it more obvious, as the salt must be entered using a separate option.

 

If the -salt option is not used, the "openssl passwd" command will choose the salt value randomly, so the encryption result will be different each time:

$ openssl passwd -crypt ABcd@123
S3oA559In3qHE
$ openssl passwd -crypt ABcd@123
4e.6PnvMJGuHo
$ openssl passwd -crypt ABcd@123
7S/umCxP4JdhM

 

 

MK
Frequent Advisor
tempsample
Posts: 100
Registered: ‎06-20-2013
Message 11 of 16 (969 Views)

Re: password encryption

Hi Matti,

 

 

Thanks for the suggestion.

 

I do understand your point,but i want to set the username and password to be same.

 

if i am going to create 10 users and for all 10 users username will be password.

 

from the above script,I cant't export the value for password filed that is $PASSWD.

 

to make user active i have to use salt value to password that is $PASSWD66,but i am not able to export the password filed.

 

in v3,I dont have any problem,

 

/usr/sbin/usermod -p $(perl -e"print crypt('$PASSWD','xxxxxxxx')") -F $USERNAME

 

but in v2,

 

/usr/sam/lbin/usermod.sam -p `echo $PASSWDlb | /usr/lbin/makekey` $USERNAME

 

in password filed,I have included $PASSWDlb,but in script i have exported as PASSWD,so it is not matching.

 

is there any solition to fix it ??

Frequent Advisor
tempsample
Posts: 100
Registered: ‎06-20-2013
Message 12 of 16 (967 Views)

Re: password encryption

adding one more to the previous post :

 

/usr/sam/lbin/usermod.sam -p `echo ABcd1234lb | /usr/lbin/makekey` $USERNAME

 

currently i am setting ABcd1234 as password to all user,but i want to set username as password for all users .

 

 

 

 

Frequent Advisor
tempsample
Posts: 100
Registered: ‎06-20-2013
Message 13 of 16 (960 Views)

Re: password encryption

Can any one has idea to crypt the password ?

 

so that I can match to my script that i posted above in previous post

Frequent Advisor
tempsample
Posts: 100
Registered: ‎06-20-2013
Message 14 of 16 (959 Views)

Re: password encryption

i found the previous post posted by JRF under the subject name :Using Makekey and Usermod.sam

 

http://forums.itrc.hp.com/service/forums/questionanswer.do?threadId=1252591

 

but i am not able to open it.

 

Can any one help me in opening the page.

Honored Contributor
Matti_Kurkela
Posts: 6,271
Registered: ‎12-02-2001
Message 15 of 16 (951 Views)

Re: password encryption

> /usr/sam/lbin/usermod.sam -p `echo $PASSWDlb | /usr/lbin/makekey` $USERNAME

 

The shell "thinks" you want to use the variable named PASSWDlb, not the variable named PASSWD.

 

Try this:

 

/usr/sam/lbin/usermod.sam -p `echo ${PASSWD}lb | /usr/lbin/makekey` $USERNAME

 

 

MK
Acclaimed Contributor
Dennis Handly
Posts: 25,274
Registered: ‎03-06-2006
Message 16 of 16 (944 Views)

Re: password encryption

[ Edited ]

>I found the previous post posted by JRF under the subject name: Using Makekey and Usermod.sam

 

It helps if you provide the URL:

http://h30499.www3.hp.com/t5/System-Administration/Using-Makekey-and-Usermod-sam/td-p/4431217

 

>Can any one help me in opening the page.
 
That URL is the previous incarnation of the forums and is gone forever but the post is somewhere.
You could do a google search for JRF's posts and likely words:
makekey usermod.sam site:h30499.www3.hp.com
 
Some possible other topics:
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.