RE: securite et default users

Aubin Stephane Thu, 18 Jan 2001 11:37:44 -0800
Merci

c'est plus clair.

stef

> Mais comment savoir si ils ont un password (et lequel). Si il y a un

Je crois qu'on va faire un exemple pratique:

Compte bloqué:
   defian:/home/schaefer# passwd -S uucp
   uucp L 08/17/1999 0 99999 7 -1

   defian:/home/schaefer# egrep uucp /etc/shadow /etc/passwd
   /etc/shadow:uucp:*:10820:0:99999:7:::
   /etc/passwd:uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh

Compte actif, avec un mot de passe:
   defian:/home/schaefer# passwd -S bsmtp
   bsmtp P 01/18/2001 0 99999 7 -1

   defian:/home/schaefer# egrep bsmtp /etc/shadow /etc/passwd
   /etc/shadow:bsmtp:Os7K58BCXvU1c:11340:0:99999:7:::
   /etc/passwd:bsmtp:x:1004:1004:BSMTP test user,,,:/home/bsmtp:/bin/bash

Maintenant sabotons ce compte en introduisant, dans le champ du mot de
passe, un caractère ne figurant pas dans l'alphabet considéré (cf plus
bas), p.ex l'étoile (on plus on change le nombre de caractères).

   defian:/home/schaefer# passwd -S bsmtp
   bsmtp L 01/18/2001 0 99999 7 -1

Maintenant remettons un mot de passe et utilisons l'option -l de passwd:

   defian:/home/schaefer# passwd -l bsmtp
   Password changed.
   defian:/home/schaefer# passwd -S bsmtp
   bsmtp L 01/18/2001 0 99999 7 -1
   defian:/home/schaefer# egrep bsmtp /etc/shadow /etc/passwd
   /etc/shadow:bsmtp:!RwUttjcgBIpoI:11340:0:99999:7:::
   /etc/passwd:bsmtp:x:1004:1004:BSMTP test user,,,:/home/bsmtp:/bin/bash

PS: travail laissé à l'auditoire: casser le mot de passe de l'utilisateur
    bsmtp. Avec Crack cela doit pouvoir se faire assez vite.

cf man 5 passwd

      [ ... ]
      The password field may not be filled if  shadow  passwords
      have  been  enabled.   If shadow passwords are being used,
      the encrypted password will be found in /etc/shadow.   The
      encryped  password  consists  of 13 characters from the 64
      character alphabet a thru z, A thru Z, 0 thru 9, . and  /.
      Refer to crypt(3) for details on how this string is inter
      preted.
      [ ... ]

      (donc p.ex. * n'est pas un caractère valide).

   man 5 shadow

      [ ... ]
      The  password field must be filled.  The encryped password
      consists of 13 to 24  characters  from  the  64  character
      alphabet  a thru z, A thru Z, 0 thru 9, . and /.  Refer to
      crypt(3) for details on how this string is interpreted.
      [ ... ]

   man 1 passwd

      [ ... ]
      Account maintenance
          User  accounts  may be locked and unlocked with the -l and
          -u flags.  The -l option disables an account  by  changing
          the   password  to  a  value  which  matches  no  possible
          encrypted value.  The -u option re-enables an  account  by
          changing the password back to its previous value.
      [ ... ]
      The  account  status may be given with the -S option.  The
      status information consists of 6 parts.   The  first  part
      indicates  if the user account is locked (L), has no pass
      word (NP), or has a usable password (P).  The second  part
      gives the date of the last password change.  The next four
      parts are the minimum age, maximum  age,  warning  period,
      and inactivity period for the password.
      [ ... ]

--
http://www-internal.alphanet.ch/linux-leman/ avant de poser
une question.

--
http://www-internal.alphanet.ch/linux-leman/ avant de poser
une question.
RE: securite et default users

Répondre à
