For sysadmins: I will give you an idea of how to test for week passwords on several servers.
First, collect all /etc/shadow from every server into a single directory (”passwordcheck”) on your own machine and name each of the files like the servername.
I assume that you have a ssh key installed on your user account on all of your servers.
Insecure: The ssh-commands below might give away your password to other users.
On your own machine, do:
mkdir ~/passwordcheck cd ~/passwordcheck for i in server1.rolfs.no server2.rolfs.no do ssh $i "echo \"YourSudoPassword\" | sudo -S cat /etc/shadow" | tee ~/passwordcheck/$i done
Prepare before running John the ripper:
cd ~/passwordcheck/ cat * > huge-file.pwd
Then run john the ripper to find insecure passwords:
john huge-file.pwd
After running john for a while, it will have created a john.pot with passwords it has found. Then it’s time to find out what servers it has found passwords on. Here is a script example on how to make it easy visable. Might also be implementable with mail-warnings or other ways to alert the user.
for line in `cat john.pot` do shadow=`echo $line |cut -d\: -f1` pass=`echo $line |cut -d\: -f2` user=`grep $shadow huge-file.pwd | cut -d\: -f1` server="" for file in * do if [ "x$file" != "xhuge-file.pwd" -a "x$file" != "xjohn.pot" ]; then grep $shadow $file -q && { server="$server $file" } fi done echo user: $user pass: $pass echo servers: $server echo shadow: $shadow echo .... done
Here is a example output of running the script:
.... user: user1 pass: password servers: server1.rolfs.no shadow: $1$YjC9XoNj$Hkq3ExyqPLD/3Fk.Z5DCP/ .... user: user2 pass: password1 servers: server2.rolfs.no shadow: $1$iqzoX.8W$0u/vt.eGC3HeMlUTauvYh1 ....
You might run into problems if two or more user has equal shadow passord strings, but I guess you will be able to sort that out.
If you just need to lock a user account, here is the command (run as root)
passwd -l username
0 Responses to “Run john the ripper on several servers / password files”
Leave a Reply