Attached is a CLI script that will allow a root user to update an openvas user
account's password. This script is for only updating the password value - does
not cover changing a cert value. Script is simply a munge of the
openvas-adduser procedure.
Seems odd that for a security product, the openvas password values can be very
simple - there are no complexity rules applied. Complexity rules in password
generation could be incorporated in this script but have not tracked down what
the web interface uses (cannot get a response from the web GUI
Administration->Users selection ... sigh). If complexity rules are to be
applied then this script and openvas-adduser should at a minimum be modified.
#!/bin/sh
#-----------------------------------------------------------------------------
# Name: openvas-chgpass
# Status: beta
# Date: 1/16/13
# Description: CLI to change the password on an openvassd application
# account. Does not handle cert authentication changes.
#
#
#-----------------------------------------------------------------------------
bindir=/usr/bin
sbindir=/usr/sbin
datadir=/usr/share
openvas_users_dir=/var/lib/openvas/users
# add the openvas installation path
PATH=$PATH:$sbindir:$bindir:/usr/ssl/bin:/usr/local/ssl/bin:/opt/ssl/bin
export PATH
umask 066
# check whether we have echo -n, depending
# on the current shell, used
case `echo -n` in
\-n) Xn= ; Xc='\c' ;;
*) Xn=-n ; Xc=
esac
# check if gettext is present
GETTEXT=`command -v gettext.sh`
if [ $? -ne 0 ]; then
# define dummy functions
gettext () {
echo $Xn "$1" $Xc
}
eval_gettext () {
eval_gettext_var="echo $1"
echo $Xn `eval $eval_gettext_var` $Xc
}
else
# initialize gettext
. $GETTEXT
export TEXTDOMAIN=openvas-scripts
export TEXTDOMAINDIR=$datadir/locale
fi
# Test if we have MD5
X=`echo x | openssl md5`
if [ "$X" = "401b30e3b8b5d629635a5c613cdb7919" -o \
"$X" = "401B30E3B8B5D629635A5C613CDB7919" ]; then
MD5CMD="openssl md5"
else
X=`echo x | md5sum | awk '{print $1}'`
if [ "$X" = "401b30e3b8b5d629635a5c613cdb7919" -o \
"$X" = "401B30E3B8B5D629635A5C613CDB7919" ]; then
MD5CMD=md5sum
else
gettext "No MD5 algorithm found in the current path!"; echo
gettext "Please make sure either openssl or md5sum is available!";
echo
exit 1
fi
fi
if [ ! -d ${openvas_users_dir} ]; then
gettext "No openvassd user accounts directory"; echo
exit 1
fi
if [ -z "$(ls ${openvas_users_dir}/* 2>/dev/null)" ]; then
gettext "No openvassd user accounts"; echo
exit 1
fi
# Here we go
echo
gettext "Change password for openvassd user"; echo
gettext "List of openvassd login users"; echo
ls $openvas_users_dir
echo "---------------------------------"
echo
ok=`gettext "n"`
while [ "$ok" = `gettext "n"` ] ; do
echo $Xn "`gettext "Login :"` $Xc"
read login
# Abort with error if nothing to read in.
if [ $? = 1 -o -z "${login}" ]; then
gettext "No input, exiting."; echo
exit 1;
fi
if [ ! -d $openvas_users_dir/$login ]; then
gettext "This login (${login}) does not exist. Choose another one.";
echo
else
ok=`gettext "y"`
fi
done
askPasswd=`gettext "Login password :"`
askPasswdAgain=`gettext "Login password (again) :"`
sayPasswd=`gettext "Password :"`
ok="n"
while [ "$ok" = "n" ]; do
echo $Xn "$askPasswd $Xc"
stty -echo
read password
echo
echo $Xn "$askPasswdAgain $Xc"
read password_again
stty echo
echo
if [ -z "$password" ]; then
gettext "Your password can not be empty."; echo
else
if [ "$password" != "$password_again" ]; then
gettext "Passwords do not match!"; echo
else
ok="y"
fi
fi
done
test -c /dev/urandom &&
{
URANDOM=`dd if=/dev/urandom bs=16 count=16 2>/dev/null|$MD5CMD`
}
SEED=`(echo $SEED; date; df; ls -l; echo $URANDOM) | $MD5CMD | awk '{print $1}'`
H=`echo $Xn $SEED$password$Xc | $MD5CMD | awk '{print $1}'`
echo $H $SEED > "$openvas_users_dir/$login/auth/hash"
gettext "Openvassd user (${login}) password changed."; echo
exit 0
_______________________________________________
Openvas-discuss mailing list
[email protected]
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
