Implementation Details Installing, configuring, and using npasswd to improve password quality on systems running Solaris 2.x
 
Applies to the practices:
"Identify data that characterize systems and aid in detecting signs of suspicious behavior"
"Configure computers for user authentication."

Applicable technologies: Solaris 2.x UNIX operating system and derivatives 

  Intruders commonly gain access to a computer system by logging into an account on that system. They frequently begin this attack by first obtaining a copy of the password file and then decrypting passwords through brute-force techniques such as those contained in crack (Refer to ftp://ftp.cerias.purdue.edu/pub/tools/unix/pwdutils/crack). Once a password has been discovered, the intruder logs into the account and uses that system's resources for their own purposes. 

To combat this specific type of intrusion, system managers should use one of the many tools written to improve the quality of the passwords selected by a computer system's users. These tools render brute-force techniques largely ineffective. 

npasswd (refer to http://www.utexas.edu/cc/unix/software/npasswd) is one such tool. Its purpose is to improve the quality of passwords selected by your users. This means - and in fact only means - that if your encrypted password information is stolen by an intruder, the process of determining the clear text equivalents of those encrypted passwords is made substantially harder. 

npasswd subjects each password candidate to the following series of tests: 

 
Test  Description 
History  This optional test defines how many previous passwords are remembered so that used passwords are not reused too quickly. 
Lexical  This mandatory test verifies that a password meets the minimum size and character composition requirements, checks for excessive adjacent repeated characters, encourages character diversity, and looks for easily guessed patterns such as US Social Security and telephone numbers. 
Local  This optional test provides a framework for site-specific tests. 
Passwd  This mandatory test checks the candidate password against variations of the information contained in the rest of the password file entry (full name, login name, location information, etc.). 
Dictionary  This mandatory test checks the candidate password against words in the configured dictionaries. npasswd applies crack's permutation rules to the candidate to see if the candidate could be derived from a word in a dictionary. 

Please note that npasswd or any other password quality improvement tool does not deter passwords discovered through network sniffing. The only ways to mitigate the sniffing problem are to use one-time passwords, a scheme where passwords do not traverse the network (e.g. Kerberos ), or insure that all network traffic is encrypted. 

This implementation describes the information necessary to download, configure, and use npasswd version 2.05 on Solaris, version 2.x. 


Preparation The latest release of npasswd is available from:

http://www.utexas.edu/cc/unix/software/npasswd/dist/npasswd-2.05.tar.gz

A set of dictionaries is also available from: 

http://www.utexas.edu/cc/unix/software/npasswd/dist/npasswd-words.tar.gz

Optionally, if you wish to port npasswd to other software architectures, you also need 

http://www.utexas.edu/cc/unix/software/npasswd/dist/npasswd-2.05-developer.tar.gz 

Finally, if you do not have the BSD compatibility package installed, you need the GNU file utilities suite, available from: 

ftp://gnu.mi t.edu/pub/gnu/fileutils/fileutils-4.0.tar.gz 

Ensure that you can meet installation requirements.

To build the npasswd, you need: 

  • Internet access to retrieve the software 
  • An MD5 checksum program (refer to "Using MD5 to verify the integrity of file contents.")
  • GZIP to uncompress the downloaded files (optional) 
  • A C compiler; either the Sun C Compiler or the free GNU C Compiler 
  • A Perl interpreter, but only if you are porting npasswd to other software architectures 
  • BSD compatibility package from Sun or alternatively the GNU file utilities package

Download the npasswd distribution The latest release of npasswd is available from
http://www.utexas.edu/cc/unix/software/npasswd/dist/

Be certain to download the distribution onto a machine that is free from threat so that you do not introduce any vulnerabilities into your version of npasswd.

Verify the authenticity of the npasswd distribution.

Verify the files you have just downloaded with the MD5 checksums listed below.

 
File to Download MD5 Checksum
npasswd-2.05.tar.gz  7537c609be2c87149affdf77e2ca377f 
npasswd-words.tar.gz  50f1a9f5e30950187415099b9aae0652 
npasswd-2.05-developer.tar.gz  c7d789e5f0f49686a36916c9618a9dbb 

If the computed cryptographic checksum of the download files does not correspond to the information given above, verify that 

  • your downloaded filenames match those listed
  • your checksum program computes MD5 message digests 
Unpack the npasswd distribution.

To prepare the distribution for building and installation, uncompress these files using GNU gunzip and the system tar command as follows: 

     $ gunzip -c npasswd-2.05.tar.gz |

     tar xf -

     $ gunzip -c npasswd-words.tar.gz | 

     tar xf - 

     $ mv npasswd-2.00/dict/* npasswd-2.05/dict 

     $ rm -rf npasswd-2.00

This creates a sub-directory named npasswd-2.05. The entire distribution, which includes the compressed tar files and their uncompressed, untarred counterparts, requires 13.6Mb. If you include the developer information, 16.5Mb are required.

Build the npasswd software The build process begins by running the Configure script. For most of the questions asked by the configure program, using the defaults is sufficient. Some of the questions require your attention. These are shown below. Responses are underlined. For a complete description of the build process, see the Build and Install documentation.
Use which C compiler? [cc] gcc 

Do you expect to run these scripts and binaries

on multiple machines? [n] n 



Where will private files be installed? (~name ok)/usr/lib/passwd] 

/usr/lib/passwd 

Directory /usr/lib/passwd  doesn't exist. Use that name anyway? [n] y 





### Found passwd files "/etc/passwd"        

Change passwd file list? [n] n 



### Found shadow files "/etc/shadow"        

Change shadow file list? [n] n 



Replace system programs? [y] y        



Activate the "paranoid" open [n] y 



Password history file [/usr/lib/passwd/history]       

 /usr/lib/passwd/history        
Once the building process has been configured, the software needs to be built with make. This task need not be done as the user root

$ make


Install the npasswd software The next step is installing npasswd. Note that this must be done as the user root.
      $ /bin/su

      Password:

      # make install

      # /usr/lib/passwd/history_admin load < /dev/null

      exit

      make clean

This process installs the following files and directories:
 
Files  Contents 
/usr/lib/passwd  Main directory where most files are installed 
/usr/lib/passwd/*.help  Customizable help files for installed commands 
/usr/lib/passwd.*.motd Customizable message-of-the-day for installed commands 
/usr/lib/passwd/checkpassword  Password quality checking program 
/usr/lib/passwd/history_admin  Manage password history database 
/usr/lib/passwd/history.*  History database 
/usr/lib/passwd/npasswd  The password quality and changing program 
/usr/lib/passwd/libcheckpassword.a  Subroutine archive for development 
/usr/lib/passwd/passwd.conf  Configuration file for npasswd suite 
/usr/lib/passwd/bin  Tools for dictionary administration and install/removal of npasswd suite 
/usr/lib/passwd/dictionaries  Processed dictionaries 
/usr/lib/passwd/doc  All documentation, including manual pages, management guides, and motivation for npasswd
/usr/lib/passwd/system  Vendor provided programs replaced by the npasswd suite 
  In addition, the standard password changing programs - /usr/bin/passwd, /usr/bin/nispasswd, and /usr/bin/yppasswd - are all replaced by npasswd. Note that npasswd does not support NIS+.

We recommend that the interactive password checking program, checkpassword, and its corresponding documentation be installed in a directory where your users can easily find them and use them. checkpassword is a useful program that allows your users to check out their password selections before using npasswd to activate them. For example, the following achieves this goal. Note that this must be done as root. catman updates the files used by the whatis program.

# ln -s 

/usr/lib/passwd/checkpassword  /usr/bin 

ln -s /usr/lib/passwd/doc/checkpassword.1 /usr/man/man1 

catman -w /usr/man
 
Configure npasswd

After npasswd has been installed, you need to configure it. The configuration information is stored in the file:

/usr/lib/passwd/passwd.conf

Structure of the configuration file

The configuration file consists of two types of directives: those that apply to all sub-programs provided by npasswd, namely passwd, chfn (CHange Finger Name), and chsh (CHange user SHell), and those that apply to each individual sub-program. This implementation is confined to the directives that apply to passwd.

The format of each directive is:

subprogram.option whitespace value

where subprogram is always passwd for this implementation, option is the specific datum being configured, and value is of type number, path, boolean, or string. See checkpassword(3)for an explanation of the format 

Create the initial configuration

The configuration file shown below is the recommended way to configure npasswd. See the reference manual and checkpassword(3) for a complete explanation. Note that the passwd.config file must be owned by root, a regular file (that is, not a symlink), and not be world writable.

MatchTries             3 

MatchWait              2 

PasswdTolerance        8 

ShadowTolerance        32 

passwd.AlphaOnly       no 

passwd.CharClasses     4 

passwd.Dictionaries    usr/lib/passwd/dictionaries        

passwd.DisallowedChars '^C^S^Q^D^H^J^M^O^R^Y^Z^]\033^\\0177' 

passwd.Help            /usr/lib/passwd/passwd.help 

passwd.History         age       180 

passwd.History         depth     4 

passwd.History         database  dbm /usr/lib/passwd/history 

passwd.LengthWarn      yes 

passwd.MaxPassword     8 

passwd.MaxRepeat       2 

passwd.Message         /usr/lib/passwd/passwd.motd        

passwd.MinPassword     6 

passwd.PasswordChecks  lexical passwd local history dictionary

passwd.PrintableOnly   no 

passwd.SingleCase      no 

passwd.WhiteSpace      no 

Test npasswd The next task is to check the installation and configuration of npasswd. To do this, first run the checkpassword program to see if it disallows some obvious passwords. Here is an example:
      % /usr/lib/passwd/checkpassword

      

      Password to check: testing

      Password bad: it can be derived from the word 'testing'.

      

      Password to check: Testing

      Password bad: it can be derived from the word 'testing'.





      Password to check: t3st1ng

      Password bad: it can be derived from the word 'testing'.





      Password to check: unix

      Password bad: it is too short (minimum length is 6 characters).



    

      Password to check: grelnob



      Password ok.





      Password to check: ^D

      % 

Another way to test the installation is to run checkpassword -XDall and carefully inspect the output. Look to see if checkpassword is reading your configuration file and reflecting your selections in its output.

Maintenance activities npasswd benefits from periodic maintenance. We recommend the following activities:
  • History database cleaning
  • Adding local dictionaries
  • Other local checks

History database cleaning The Npasswd Administration Guide describes a procedure for maintaining the history database. The goal is to remove old and excess passwords and entries for users no longer in the password file. They suggest doing this from cron once a month as follows:

0 2 1 * * /usr/lib/passwd/history_admin purge

This means that at 2AM on the first of each month, the npasswd history database is purged as described above.


Adding local dictionaries We recommend that you add dictionaries of words that are specific to your installation. For example, if you are installing npasswd at a university, we recommend that you add a dictionary that contains the following at a minimum:
  • names of campus buildings 
  • names of streets on campus 
  • faculty member surnames 
  • names of surrounding towns 
The procedure to do this is described in the Npasswd Administration Guide. This guide discusses how to:
  • Convert a dictionary from crack into npasswd
  • Make new dictionaries 
  • Add words to an existing dictionary 
  • Remove a dictionary 
  • View the contents of a dictionary 

Other local checks The npasswd source provides a method for adding additional checks. These checks must be compiled into npasswd through changes to the src/PasswordCheck/pwck_local.c file. Presently, candidate passwords are checked for:
  • the name of the host and its aliases where npasswd is running 
  • information contained in the user's .rhosts file 
Extending these checks requires adding code to the pwck_local subroutine, which is contained in the pwck_local.c file, rebuilding, and reinstalling npasswd. The key subroutine referenced in pwck_local is GTry. GTry is a subroutine that takes a string and a candidate password. It decides if the candidate password is a permutation of the information in the specified string. If it is a permutation, then the password should be disallowed. This is indicated by returning the value PWCK_OBVIOUS from the pwck_local subroutine.

Here is an excerpt from pwck_local where candidate passwords are checked against the contents of the user's .rhosts file:

       public char *

       pwck_local(password, user)

          char *password;        /* Password to check */

          struct passwd *user;   /* Passwd info for user */

       { 

          char    myname[MAXHOSTNAMLEN],

                  temp[MAXPATHLEN];


          struct hostent *h;

          FILE *rh;

          ...

        /*

        * Check against the users' .rhosts file

        */

        (void) sprintf(temp, "/.rhosts", user->pw_dir);

          if (rh = fopen(temp, "r")) {

              while (fgets(temp, sizeof(temp), rh)) 

                   if (GTry(temp, password)) 

                       (void) fclose(rh); 

                       return(PWCK_OBVIOUS);

                   }

               }

               (void) fclose(rh);


          } 

          return(PWCK_OK);


        }