h49876 s 00002/00002/00393 d D 1.10 98/10/14 09:40:59 clyde 10 9 c Update history_admin examples e s 00005/00005/00390 d D 1.9 98/07/20 15:42:33 clyde 9 8 c Spell check e s 00032/00009/00363 d D 1.8 98/07/20 14:41:14 clyde 8 7 c Add stuff about history database owner and mode e s 00011/00006/00361 d D 1.7 98/07/16 14:51:00 clyde 7 6 c Add comment about history database ownerships e s 00021/00016/00346 d D 1.6 98/07/16 09:13:00 clyde 6 5 c Update path tokens e s 00010/00014/00352 d D 1.5 98/07/09 15:28:31 clyde 5 4 c Use path tokens and fix links e s 00043/00059/00323 d D 1.4 98/07/08 17:01:39 clyde 4 3 c Another cleanup pass e s 00005/00005/00377 d D 1.3 98/07/02 15:43:53 clyde 3 2 c Change name and fix a link e s 00002/00002/00380 d D 1.2 98/06/30 10:33:05 clyde 2 1 c Change title e s 00382/00000/00000 d D 1.1 98/06/26 09:56:36 clyde 1 0 c date and time created 98/06/26 09:56:36 by clyde e u U f e 0 t T I 1 D 2 Npasswd Administrators Guide E 2 I 2 D 3 Npasswd: Administrator's guide E 3 I 3 Npasswd Administration Guide E 3 E 2
D 2

Administrators Guide

E 2 I 2 D 3

Npasswd: Administrator's Guide

E 3 I 3

Npasswd Administration Guide

E 3 E 2
D 4

More about password checking

E 4 I 4

More about password checking

E 4

Npasswd subjects password candidates to a series of guessability tests. The password is accepted only if it passes all of them.

Which tests are used and the order of application is customizable in the configuration file. Some tests are mandatory, and others optional (as noted below).

The password tests are:

History

Lexical

Local

Passwd

Dictionary


More about dictionaries

Crack, the most popular password guessing program, makes extensive use of word collections. Each word is permuted in various ways, encrypted and compared to the target cyphertext. The more words that Crack has available, the more passwords it will guess.

The primary function of npasswd is to frustrate bad guys running Crack. To this end, some of Crack has been incorporated into npasswd.

D 4 Dictionaries are a set of hash files optimized for fast lookups. E 4 I 4 Dictionaries are a set of hash files optimized for fast lookup. E 4 They are constructed from word lists, which are text files with one word per line. D 4 The dictionary hash files are created via E 4 I 4 The dictionary hash files are created with E 4 D 5 makedict, which E 5 I 5 makedict, which E 5 produces files with the suffixes .pwd, .pwi and .hwm. The hash files are probably are not portable between CPU architectures, and take up more disk space their source data.

D 4 These hash files normally live in the main dictionary directory (npasswd-lib/dictionaries), but can be placed elsewhere E 4 I 4 The dictionary hash files normally live in the dictionary directory D 6 (@NPASSWD-DICTS), but can be placed elsewhere E 6 I 6 (@NPASSWD-DICT@), but can be placed elsewhere E 6 E 4 and pointed to in the D 4 configuration file. E 4 I 4 configuration file. Multiple dictionary directories can be given. E 4

To make a dictionary accessible to npasswd, copy the hash files (or make symlinks) into the appropriate directory. The files should be world-readable. Npasswd will reject any dictionary with a world-writable hash file.

You can have numerous dictionaries, each generated from a distinct group of words (the suggested way), or one large dictionary.

The more dictionary words available to npasswd, the fewer passwords it will accept. The passwords it does accept will be harder (but not impossible) to guess. The downside is that users may get more frustrated trying to think up acceptable passwords.

There is more about password checking and dictionaries in the D 5 Frequently Asked Questions. E 5 I 5 Questions And Answers. E 5


Dictionary management examples

D 4 The makedict and unpacker programs are in the npasswd install directory. E 4 I 4 D 5 The makedict and unpacker programs are in @NPASSWD-LIB@. E 5 E 4

To convert a Crack dictionary:

crack-directory/xdawg crack-dictionary-name (without the '.dwg' extension)
D 5
makedict -o new-dictionary crack-dictionary-name E 5 I 5 D 6
@NPASSWD-LIB@/makedict -o new-dictionary crack-dictionary-name E 6 I 6
@NPASSWD-UTIL@/makedict -o new-dictionary crack-dictionary-name E 6 E 5

To make a new dictionary:

D 5 makedict -o new-dictionary list-1 ... list-n
E 5 I 5 D 6 @NPASSWD-LIB@/makedict -o new-dictionary list-1 ... list-n E 6 I 6 @NPASSWD-UTIL@/makedict -o new-dictionary list-1 ... list-n E 6 E 5

To add words to an existing dictionary:

D 5 makedict -o existing-dictionary -m existing-dictionary list-1 ... list-n
E 5 I 5 D 6 @NPASSWD-LIB@/makedict -o existing-dictionary -m existing-dictionary list-1 ... list-n E 6 I 6 @NPASSWD-UTIL@/makedict -o existing-dictionary -m existing-dictionary list-1 ... list-n E 6 E 5

To remove a dictionary:

rm -f dict-name.hwm dict-name.pwd dict-name.pwi

To view the contents of a dictionary:

D 5 unpacker dict-name | more
E 5 I 5 D 6 @NPASSWD-LIB@/unpacker dict-name | more E 6 I 6 @NPASSWD-UTIL@/unpacker dict-name | more E 6 E 5


D 5

More about password history

E 5 I 5

More about password history

E 5

The password history mechanism controls password reuse. If the history mechanism is active, npasswd fetches the password history for a D 4 user and compares the candidate to each password in the history. E 4 I 4 user and compares the candidate to the active passwords in the history. A password is active if it is younger than the age limit and within the depth limit.

The age and depth limits can be set in the configuration file.

The history mechanism is inactive unless the database file(s) exist. D 7 Explicit action is required to enable it. Use the D 5 history_admin E 5 I 5 history_admin E 5 utility to manage password history. E 7 I 7 The installation process does not create the database. Use the history_admin utility to create and manage the database.

D 8 The history database file(s) are protected to be read-write by owner and read-only by the group selected during package configuration. Programs needing read-only access to the database (e.g. checkpassword) are installed set-gid to this gid. E 7 E 4 D 4

The history mechanism is inactive unless the database file(s) exist. Explicit action is required to enable it. Use the history_admin utility to manage the password history mechanism.

There are two criteria for what passwords are active in the history:

These criteria can be set in the configuration file. E 4

Special considerations for clusters

E 8 I 8

Security considerations

E 8

I 8 By default the history database file(s) are created read-write only by owner (typically root). This is done to shield the old passwords from public view, even though D 9 npasswd was happy with them so they should be less susecptible to E 9 I 9 npasswd was happy with them so they should be less susceptible to E 9 being guessed.

For other programs to access the history database (e.g. checkpassword) they may need to run as root. It is not advisable to install D 9 checkpasword as set-uid to root (though it will behave properly if setuid). A suggested solution is below. E 9 I 9 checkpassword as set-uid to root (though it will behave properly). A suggested solution is below. E 9

Special considerations for clusters

E 8 D 4 There are special considerations in locating the history database. If a system is part of a cluster which shares a password file, the password history database must on a shared file system to which the other cluster members can write, preferably with root permission. E 4 I 4 If npasswd is being used on a member of a cluster which shares a password file, the password history database must in a directory which the other cluster members mount and can write to, preferably with root access. E 4 D 4

If this is not possible, change the ownership of the history database files to a non root user. If npasswd cannot update the history database as root, it will attempt to use setreuid(2) to temporarily change effective uid to the owner of the database and try again to update it. E 4 I 4

An alternative is to make the history database owned by a non-root user (this works around NFS root access issues). In that case, npasswd will attempt to use setreuid(2) to temporarily change its effective uid to the owner of the database to update it. E 4 D 8 E 8 D 4

The password history mechanism should support something other than files, and there is untested code stubbed in for using NIS. The proper solution would be RPC-based, but that is a lot of work which even the systems that support password history (e.g. Digital UNIX), have not done. E 4

I 8 Here is how to change the ownership of the history database:

E 8


D 9

Password history maintenace

E 9 I 9

Password history maintenance

E 9

The history database requires periodic maintenance. Old and excess passwords, and entries for users no longer in the password file need removing. Periodically (weekly or monthly), D 5 run history_admin E 5 I 5 run history_admin E 5 from cron. Make this purge a part of what is done upon deleting users from the password file.


History management examples

To create the default database:

history_admin load < /dev/null

Populating alternate DBM database from a file:

D 10
history_admin -m dbm -f /tmp/new-history load < test-data
E 10 I 10
history_admin -m dbm -f /tmp/new-history -i test-data load
E 10 D 10

To purge the default database with the default limits:

E 10 I 10

To purge the default database with the default limits:

E 10
history_admin -l purge

To ignore the configuration file settings:

history_admin -c /dev/null ...

D 4


E 4 I 4
E 4

Files Installed

The following files and directories are installed as part of npasswd. All of these files (except the configuration file) can be relocated by directives in the configuration file.

D 3 The path /usr/lib/passwd can be changed by re-running Configure. E 3 I 3 D 4 The path /usr/lib/passwd can be changed by re-running Configure. E 4 I 4 D 6 The path @NPASSWD-LIB@ can be changed by re-running E 6 I 6 The path @NPASSWD-HOME@ can be changed by re-running E 6 Configure. E 4 E 3

D 4 E 4 I 4 D 6 E 6 I 6 E 6 E 4 D 4 E 4 I 4 E 4 D 4 E 4 I 4 D 6 E 6 I 6 E 6 E 4 D 4 E 4 I 4 D 6 E 6 I 6 E 6 E 4 D 4 E 4 I 4 D 6 E 6 I 6 D 9 E 9 I 9 E 9 E 6 E 4 D 4 E 4 I 4 D 6 E 6 I 6 E 6 E 4 D 4 E 4 I 4 D 6 E 6 I 6 E 6 E 4 D 4 E 4 I 4 D 6 E 6 I 6 E 6 E 4 D 4 E 4 I 4 E 4
Default location What it is
/usr/lib/passwd@NPASSWD-LIB@@NPASSWD-HOME@Directory where all the parts live
/usr/lib/passwd/xbin@NPASSWD-XBIN@Directory where vendor utilities are saved
/usr/lib/passwd/dictionaries Directory where the hashed Crack dictionaries live@NPASSW-DICTS@@NPASSWD-DICT@Main repository for hashed dictionary files
/usr/lib/passwd/doc@NPASSWD-LIB@/doc@NPASSWD-DOCS@Directory for npasswd documentation
/usr/lib/passwd/passwd.conf@NPASSWD-LIB@/passwd.conf@NPASSWD-UTIL@Directory for miscellanous programsDirectory for miscellaneous programs
@NPASSWD-HOME@/passwd.confThe npasswd configuration file
/usr/lib/passwd/chfn.help
/usr/lib/passwd/chfn.motd
@NPASSWD-LIB@/chfn.help
@NPASSWD-LIB@/chfn.motd
@NPASSWD-HOME@/chfn.help
@NPASSWD-HOME@/chfn.motd
Help and message-of-the-day for chfn sub-program
/usr/lib/passwd/chsh.help
/usr/lib/passwd/chsh.motd
@NPASSWD-LIB@/chsh.help
@NPASSWD-LIB@/chsh.motd
@NPASSWD-HOME@/chsh.help
@NPASSWD-HOME@/chsh.motd
Help and message-of-the-day for chsh sub-program
/usr/lib/passwd/passwd.help
/usr/lib/passwd/passwd.motd
@NPASSWD-LIB@/passwd.motd
@NPASSWD-LIB@/passwd.motd
@NPASSWD-HOME@/passwd.motd
@NPASSWD-HOME@/passwd.motd
Help and message-of-the-day for passwd sub-program
/usr/lib/passwd/history@NPASSWD-HIST@Password history database


Top    Home


Document id %Z% %M% %I%
Version %I%
Last modified %G%

Clyde Hoover
Academic Computing Services and Instructional Technology Services
The University of Texas at Austin
Copyright 1998, The University of Texas at Austin. All rights reserved.
E 1