|
Size: 2517
Comment:
|
Size: 2844
Comment: *sigh*
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 11: | Line 11: |
| Nonetheless, we get hordes of users asking how they can circumvent 35 years of Unix security. | Nonetheless, we get hordes of users asking how they can circumvent 35 years of Unix security. And we get people contributing their favorite security-removing "solutions" to this page. So, let's try to organize them a bit.... |
| Line 13: | Line 13: |
| You have a few choices. The first is to manually generate your own hashed password strings (for example, using http://wooledge.org/~greg/crypt/ or a similar tool) and then write them to your system's local password-hash file (which may be {{{/etc/passwd}}}, or {{{/etc/shadow}}}, or {{{/etc/master.passwd}}}, or {{{/etc/security/passwd}}}, or ...). This requires that you read the relevant man pages on your system, find out where the password hash goes, what formatting the file requires, and then construct code that writes it out in that format. | === Construct your own hashed password and write it to some file === |
| Line 15: | Line 15: |
| The second is to use [[http://expect.nist.gov/|expect]]. I think it even has this ''exact'' problem as one of its canonical examples. | The first approach involves constructing your own hashed password (DES, MD5, Blowfish, or whatever your OS uses) using nonstandard tools such as http://wooledge.org/~greg/crypt/ or Debian/Ubuntu's `mkpasswd` package. You would then write that hashed password, along with additional fields, in a line in your system's local password-hash file (which may be {{{/etc/passwd}}}, or {{{/etc/shadow}}}, or {{{/etc/master.passwd}}}, or {{{/etc/security/passwd}}}, or ...). This requires that you read the relevant man pages on your system, find out where the password hash goes, what formatting the file requires, and then construct code that writes it out in that format. |
| Line 17: | Line 17: |
| The third is to use some system-specific tools which may or may not exist on your platform. For example, some GNU/Linux systems have a {{{newusers(8)}}} command specifically designed for this; or a {{{chpasswd(8)}}} tool which can be coerced into doing these sorts of things. Also try commands such as `apropos users` or `man -k account` to see what else might exist. Be creative. | A minor variant of this involves using a system-specific tool to write the line for you, given the hashed password that you constructed. For example, on Debian/Ubuntu, we've been told that {{{useradd -m joe -s /bin/bash -p "$(mkpasswd "$password")"}}} might work. |
| Line 19: | Line 19: |
| A fourth option that works at least on linux (if not other systems) is {{{ echo "password" | passwd --stdin username }}}. Check your `passwd(1)` man page before using. ''GNU strikes again.'' -- GreyCat |
=== Fool the computer into thinking you are a human === |
| Line 22: | Line 21: |
| A fifth option (for debian and ubuntu) is to use mkpasswd (make sure to first {{{ apt-get install mkpasswd }}} or you will be missing this binary). You then use the output from this binary together with '''useradd''''s -p option. For example: {{{ useradd -m joe -s /bin/bash -p `mkpasswd "123456"` }}}. | The second approach is to use [[http://expect.nist.gov/|expect]] or its [[http://pexpect.sourceforge.net/pexpect.html|python equivalent]]. I think expect even has this ''exact'' problem as one of its canonical examples. === Find some magic system-specific tool === Finally, system-specific tools designed to do this may already exist on your platform. For example, some GNU/Linux systems have a {{{newusers(8)}}} command specifically designed for this; or a {{{chpasswd(8)}}} tool which can be coerced into doing these sorts of things. Or they may have a `--stdin` flag on their `passwd` command. Also try commands such as `apropos users` or `man -k account` to see what else might exist. Be creative. |
I want to set a user's password using the Unix passwd command, but how do I script that? It doesn't read standard input!
OK, first of all, I know there are going to be some people reading this, right now, who don't even understand the question. Here, this does not work:
{ echo oldpass; echo newpass; echo newpass; } | passwd
# This DOES NOT WORK!Nothing you can do in bash can possibly work. passwd(1) does not read from standard input. This is intentional. It is for your protection. Passwords were never intended to be put into programs, or generated by programs. They were intended to be entered only by the fingers of an actual human being, with a functional brain, and never, ever written down anywhere.
Nonetheless, we get hordes of users asking how they can circumvent 35 years of Unix security. And we get people contributing their favorite security-removing "solutions" to this page. So, let's try to organize them a bit....
Construct your own hashed password and write it to some file
The first approach involves constructing your own hashed password (DES, MD5, Blowfish, or whatever your OS uses) using nonstandard tools such as http://wooledge.org/~greg/crypt/ or Debian/Ubuntu's mkpasswd package. You would then write that hashed password, along with additional fields, in a line in your system's local password-hash file (which may be /etc/passwd, or /etc/shadow, or /etc/master.passwd, or /etc/security/passwd, or ...). This requires that you read the relevant man pages on your system, find out where the password hash goes, what formatting the file requires, and then construct code that writes it out in that format.
A minor variant of this involves using a system-specific tool to write the line for you, given the hashed password that you constructed. For example, on Debian/Ubuntu, we've been told that useradd -m joe -s /bin/bash -p "$(mkpasswd "$password")" might work.
Fool the computer into thinking you are a human
The second approach is to use expect or its python equivalent. I think expect even has this exact problem as one of its canonical examples.
Find some magic system-specific tool
Finally, system-specific tools designed to do this may already exist on your platform. For example, some GNU/Linux systems have a newusers(8) command specifically designed for this; or a chpasswd(8) tool which can be coerced into doing these sorts of things. Or they may have a --stdin flag on their passwd command. Also try commands such as apropos users or man -k account to see what else might exist. Be creative.
See also FAQ #69.