Password History - SCO

This is a discussion on Password History - SCO ; Any easy way to implement password history - e.g. user can't re-use last X passwords, where X is a configurable parameter? After an IT audit, auditors were surprised this was not implemented in SCO OpenServer (6.0/mp2) -- -Joe Chasan- Magnatech ...

+ Reply to Thread
Results 1 to 20 of 20

Thread: Password History

  1. Password History

    Any easy way to implement password history - e.g. user can't re-use last X
    passwords, where X is a configurable parameter?

    After an IT audit, auditors were surprised this was not implemented in
    SCO OpenServer (6.0/mp2)

    --
    -Joe Chasan- Magnatech Business Systems, Inc.
    joe - at - magnatechonline -dot- com Hicksville, NY - USA
    http://www.MagnatechOnline.com Tel.(516) 931-4444/Fax.(516) 931-1264

  2. Re: Password History

    Joe Chasan wrote:
    > Any easy way to implement password history - e.g. user can't re-use last X
    > passwords, where X is a configurable parameter?
    >
    > After an IT audit, auditors were surprised this was not implemented in
    > SCO OpenServer (6.0/mp2)


    If you want thorough such control, upgrade to an OS smart enough to use
    Kerberos (which I'm not sure SCO has ever published), or use a Kerberized
    master password server with an NIS back end for SCO clients. Oddly, Solaris,
    Linux, and Active Directory from Windows can all do this. And oddly, Solaris's
    NIS requires real hand-massaging to prevent from causing system problems, even
    thogh Sun apparently invented it.

  3. Re: Password History

    Nico Kadel-Garcia typed (on Fri, Aug 15, 2008 at 10:05:19PM +0100):
    > Joe Chasan wrote:
    >> Any easy way to implement password history - e.g. user can't re-use last X
    >> passwords, where X is a configurable parameter?
    >>
    >> After an IT audit, auditors were surprised this was not implemented in
    >> SCO OpenServer (6.0/mp2)

    >
    > If you want thorough such control, upgrade to an OS smart enough to use
    > Kerberos (which I'm not sure SCO has ever published), or use a Kerberized
    > master password server with an NIS back end for SCO clients. Oddly,
    > Solaris, Linux, and Active Directory from Windows can all do this. And
    > oddly, Solaris's NIS requires real hand-massaging to prevent from causing
    > system problems, even thogh Sun apparently invented it.


    OSR 6.0.0 includes Kerberos.

    --
    JP

  4. Re: Password History

    On Fri, Aug 15, 2008 at 05:58:51PM -0400, Jean-Pierre Radley wrote:
    > Nico Kadel-Garcia typed (on Fri, Aug 15, 2008 at 10:05:19PM +0100):
    > > Joe Chasan wrote:
    > >> Any easy way to implement password history - e.g. user can't re-use last X
    > >> passwords, where X is a configurable parameter?
    > >>
    > >> After an IT audit, auditors were surprised this was not implemented in
    > >> SCO OpenServer (6.0/mp2)

    > >
    > > If you want thorough such control, upgrade to an OS smart enough to use
    > > Kerberos (which I'm not sure SCO has ever published), or use a Kerberized
    > > master password server with an NIS back end for SCO clients. Oddly,
    > > Solaris, Linux, and Active Directory from Windows can all do this. And
    > > oddly, Solaris's NIS requires real hand-massaging to prevent from causing
    > > system problems, even thogh Sun apparently invented it.

    >
    > OSR 6.0.0 includes Kerberos.


    then how would one implement this part of it?

    --
    -Joe Chasan- Magnatech Business Systems, Inc.
    joe - at - magnatechonline -dot- com Hicksville, NY - USA
    http://www.MagnatechOnline.com Tel.(516) 931-4444/Fax.(516) 931-1264

  5. Re: Password History

    Joe Chasan typed (on Fri, Aug 15, 2008 at 06:56:03PM -0400):
    | On Fri, Aug 15, 2008 at 05:58:51PM -0400, Jean-Pierre Radley wrote:
    | > Nico Kadel-Garcia typed (on Fri, Aug 15, 2008 at 10:05:19PM +0100):
    | > > Joe Chasan wrote:
    | > >> Any easy way to implement password history - e.g. user can't re-use last X
    | > >> passwords, where X is a configurable parameter?
    | > >>
    | > >> After an IT audit, auditors were surprised this was not implemented in
    | > >> SCO OpenServer (6.0/mp2)
    | > >
    | > > If you want thorough such control, upgrade to an OS smart enough to use
    | > > Kerberos (which I'm not sure SCO has ever published), or use a Kerberized
    | > > master password server with an NIS back end for SCO clients. Oddly,
    | > > Solaris, Linux, and Active Directory from Windows can all do this. And
    | > > oddly, Solaris's NIS requires real hand-massaging to prevent from causing
    | > > system problems, even thogh Sun apparently invented it.
    | >
    | > OSR 6.0.0 includes Kerberos.
    |
    | then how would one implement this part of it?

    Well, I never done it so I can't help you. Looks like you have (more
    than enough) reading for weekends from now to Columbus Day at:

    http://web.mit.edu/Kerberos/krb5-1.6/#documentation

    --
    JP

  6. Re: Password History

    Jean-Pierre Radley wrote:
    > Joe Chasan typed (on Fri, Aug 15, 2008 at 06:56:03PM -0400):
    > | On Fri, Aug 15, 2008 at 05:58:51PM -0400, Jean-Pierre Radley wrote:
    > | > Nico Kadel-Garcia typed (on Fri, Aug 15, 2008 at 10:05:19PM +0100):
    > | > > Joe Chasan wrote:
    > | > >> Any easy way to implement password history - e.g. user can't re-use last X
    > | > >> passwords, where X is a configurable parameter?
    > | > >>
    > | > >> After an IT audit, auditors were surprised this was not implemented in
    > | > >> SCO OpenServer (6.0/mp2)
    > | > >
    > | > > If you want thorough such control, upgrade to an OS smart enough to use
    > | > > Kerberos (which I'm not sure SCO has ever published), or use a Kerberized
    > | > > master password server with an NIS back end for SCO clients. Oddly,
    > | > > Solaris, Linux, and Active Directory from Windows can all do this. And
    > | > > oddly, Solaris's NIS requires real hand-massaging to prevent from causing
    > | > > system problems, even thogh Sun apparently invented it.
    > | >
    > | > OSR 6.0.0 includes Kerberos.
    > |
    > | then how would one implement this part of it?
    >
    > Well, I never done it so I can't help you. Looks like you have (more
    > than enough) reading for weekends from now to Columbus Day at:
    >
    > http://web.mit.edu/Kerberos/krb5-1.6/#documentation
    >


    But, while those documents are wonderful, they don't explain how to manage the
    settings on particular operating systems. Active Directory uses Kerberos as
    well, but this document will not help you find the settings *there*.

    I'm working with OSR 5.0.6: I assume that 'scoadmin' has such settings
    available in its GUI, and I'd avoid resetting such things manually in the text
    files to avoid confusion and discrepancy between GUI managed components.

  7. Re: Password History

    On Sat, Aug 16, 2008 at 08:16:49AM +0100, Nico Kadel-Garcia wrote:
    > Jean-Pierre Radley wrote:
    > > Joe Chasan typed (on Fri, Aug 15, 2008 at 06:56:03PM -0400):
    > > | On Fri, Aug 15, 2008 at 05:58:51PM -0400, Jean-Pierre Radley wrote:
    > > | > Nico Kadel-Garcia typed (on Fri, Aug 15, 2008 at 10:05:19PM +0100):
    > > | > > Joe Chasan wrote:
    > > | > >> Any easy way to implement password history - e.g. user can't re-use last X
    > > | > >> passwords, where X is a configurable parameter?
    > > | > >>
    > > | > >> After an IT audit, auditors were surprised this was not implemented in
    > > | > >> SCO OpenServer (6.0/mp2)
    > > | > >
    > > | > > If you want thorough such control, upgrade to an OS smart enough to use
    > > | > > Kerberos (which I'm not sure SCO has ever published), or use a Kerberized
    > > | > > master password server with an NIS back end for SCO clients. Oddly,
    > > | > > Solaris, Linux, and Active Directory from Windows can all do this. And
    > > | > > oddly, Solaris's NIS requires real hand-massaging to prevent from causing
    > > | > > system problems, even thogh Sun apparently invented it.
    > > | >
    > > | > OSR 6.0.0 includes Kerberos.
    > > |
    > > | then how would one implement this part of it?
    > >
    > > Well, I never done it so I can't help you. Looks like you have (more
    > > than enough) reading for weekends from now to Columbus Day at:
    > >
    > > http://web.mit.edu/Kerberos/krb5-1.6/#documentation
    > >

    >
    > But, while those documents are wonderful, they don't explain how to manage the
    > settings on particular operating systems. Active Directory uses Kerberos as
    > well, but this document will not help you find the settings *there*.
    >
    > I'm working with OSR 5.0.6: I assume that 'scoadmin' has such settings
    > available in its GUI, and I'd avoid resetting such things manually in the text
    > files to avoid confusion and discrepancy between GUI managed components.


    I see that OSR6 has kerberos tools, but they are not well documented
    at all - from what i gather, OSR6 can pass-off the authentication
    process using kerberos tools to a kerberos authentication server - i
    don't see how to make SCO OSR6 into one - i see that can use recent
    linux or windows servers as one. not sure i want to create such a mess
    for what i thought was a simple request.

    --
    -Joe Chasan- Magnatech Business Systems, Inc.
    joe - at - magnatechonline -dot- com Hicksville, NY - USA
    http://www.MagnatechOnline.com Tel.(516) 931-4444/Fax.(516) 931-1264

  8. Re: Password History

    On 15 Aug, 21:45, Joe Chasan wrote:
    > Any easy way to implement password history - e.g. user can't re-use last X
    > passwords, where X is a configurable parameter?
    >
    > After an IT audit, auditors were surprised this was not implemented in
    > SCO OpenServer (6.0/mp2)


    One option you have is to script around goodpw(ADM) to
    implement this. See the man page at:

    http://osr600doc.sco.com/en/man/html...oodpw.ADM.html

    John

  9. Re: Password History

    On Tue, Aug 19, 2008 at 07:36:35AM -0700, bonixsas@gmail.com wrote:
    > On 15 Aug, 21:45, Joe Chasan wrote:
    > > Any easy way to implement password history - e.g. user can't re-use last X
    > > passwords, where X is a configurable parameter?
    > >
    > > After an IT audit, auditors were surprised this was not implemented in
    > > SCO OpenServer (6.0/mp2)

    >
    > One option you have is to script around goodpw(ADM) to
    > implement this. See the man page at:
    >
    > http://osr600doc.sco.com/en/man/html...oodpw.ADM.html


    not sure what you are suggesting - if i wrote my own script wraparound
    to goodpw to also check to my own homegrown history tool after regular
    goodpw checks, wouldn't i have to store stuff in plain text?

    --
    -Joe Chasan- Magnatech Business Systems, Inc.
    joe - at - magnatechonline -dot- com Hicksville, NY - USA
    http://www.MagnatechOnline.com Tel.(516) 931-4444/Fax.(516) 931-1264

  10. Re: Password History

    Joe Chasan wrote:
    > Any easy way to implement password history - e.g. user can't re-use last X
    > passwords, where X is a configurable parameter?
    >
    > After an IT audit, auditors were surprised this was not implemented in
    > SCO OpenServer (6.0/mp2)
    >
    > --
    > -Joe Chasan- Magnatech Business Systems, Inc.
    > joe - at - magnatechonline -dot- com Hicksville, NY - USA
    > http://www.MagnatechOnline.com Tel.(516) 931-4444/Fax.(516) 931-1264


    If you install SCO OpenServer 5.0.7 (perhaps it works for your 5.0.6
    too) with the "Security Profile: High (Above C2)" I know it installs the
    TCB Subsystem (Trusted Computer Base Subsystem) which has native support
    for password history, and all manners of restrictions and locks, etc.

    I advice you TCB is going to give you headaches a plenty...

  11. Re: Password History

    On 19 Aug, 21:49, Joe Chasan wrote:
    > On Tue, Aug 19, 2008 at 07:36:35AM -0700, bonix...@gmail.com wrote:
    > > On 15 Aug, 21:45, Joe Chasan wrote:
    > > > Any easy way to implement password history - e.g. user can't re-use last X
    > > > passwords, where X is a configurable parameter?

    >
    > > > After an IT audit, auditors were surprised this was not implemented in
    > > > SCO OpenServer (6.0/mp2)

    >
    > > One option you have is to script around goodpw(ADM) to
    > > implement this. See the man page at:

    >
    > >http://osr600doc.sco.com/en/man/html...oodpw.ADM.html

    >
    > not sure what you are suggesting - if i wrote my own script wraparound
    > to goodpw to also check to my own homegrown history tool after regular
    > goodpw checks, wouldn't i have to store stuff in plain text?


    Joe,

    You have the option to use crypt(S) if you wish?

    John



  12. Re: Password History

    On Wed, Aug 20, 2008 at 02:17:51AM +0200, Pepe wrote:
    > Joe Chasan wrote:
    > > Any easy way to implement password history - e.g. user can't re-use last X
    > > passwords, where X is a configurable parameter?
    > >
    > > After an IT audit, auditors were surprised this was not implemented in
    > > SCO OpenServer (6.0/mp2)
    > >
    > > --
    > > -Joe Chasan- Magnatech Business Systems, Inc.
    > > joe - at - magnatechonline -dot- com Hicksville, NY - USA
    > > http://www.MagnatechOnline.com Tel.(516) 931-4444/Fax.(516) 931-1264

    >
    > If you install SCO OpenServer 5.0.7 (perhaps it works for your 5.0.6
    > too) with the "Security Profile: High (Above C2)" I know it installs the
    > TCB Subsystem (Trusted Computer Base Subsystem) which has native support
    > for password history, and all manners of restrictions and locks, etc.
    >
    > I advice you TCB is going to give you headaches a plenty...


    i dont' see anyplace documented that C2/TCB uses password history.

    anyone out there have security profile set to High that can verify
    password history is used? i don't want to break everything (and looks
    like a lot would break if i changed) for nothing.

    --
    -Joe Chasan- Magnatech Business Systems, Inc.
    joe - at - magnatechonline -dot- com Hicksville, NY - USA
    http://www.MagnatechOnline.com Tel.(516) 931-4444/Fax.(516) 931-1264

  13. Re: Password History

    On Wed, Aug 20, 2008 at 12:46:15AM -0700, bonixsas@gmail.com wrote:
    > On 19 Aug, 21:49, Joe Chasan wrote:
    > > On Tue, Aug 19, 2008 at 07:36:35AM -0700, bonix...@gmail.com wrote:
    > > > On 15 Aug, 21:45, Joe Chasan wrote:
    > > > > Any easy way to implement password history - e.g. user can't re-use last X
    > > > > passwords, where X is a configurable parameter?

    > >
    > > > > After an IT audit, auditors were surprised this was not implemented in
    > > > > SCO OpenServer (6.0/mp2)

    > >
    > > > One option you have is to script around goodpw(ADM) to
    > > > implement this. See the man page at:

    > >
    > > >http://osr600doc.sco.com/en/man/html...oodpw.ADM.html

    > >
    > > not sure what you are suggesting - if i wrote my own script wraparound
    > > to goodpw to also check to my own homegrown history tool after regular
    > > goodpw checks, wouldn't i have to store stuff in plain text?

    >
    > Joe,
    >
    > You have the option to use crypt(S) if you wish?


    yes, true - i guess my real issue is whether a homegrown hack of my
    own would suffice when it was expected it to be provided by application
    OS. All this came up via an IT audit by outside auditor Ernst & Young.
    They ask for copies of files, settings, etc, as proof of all and i guess
    they expect features common in windows world.

    --
    -Joe Chasan- Magnatech Business Systems, Inc.
    joe - at - magnatechonline -dot- com Hicksville, NY - USA
    http://www.MagnatechOnline.com Tel.(516) 931-4444/Fax.(516) 931-1264

  14. Re: Password History

    On 20 Aug, 21:46, Joe Chasan wrote:

    > > If you install SCO OpenServer 5.0.7 (perhaps it works for your 5.0.6
    > > too) with the "Security Profile: High (Above C2)" I know it installs the
    > > TCB Subsystem (Trusted Computer Base Subsystem) which has native support
    > > for password history, and all manners of restrictions and locks, etc.

    >
    > > I advice you TCB is going to give you headaches a plenty...

    >
    > i dont' see anyplace documented that C2/TCB uses password history.
    >
    > anyone out there have security profile set to High that can verify
    > password history is used? i don't want to break everything (and looks
    > like a lot would break if i changed) for nothing.


    C2 and the TCB do not implement password history.

    As far as I know a password history is not a C2 requirement
    as defined by the Orange book.

    John

  15. Re: Password History

    bonixsas@gmail.com wrote:
    > On 20 Aug, 21:46, Joe Chasan wrote:
    >
    >
    >>>If you install SCO OpenServer 5.0.7 (perhaps it works for your 5.0.6
    >>>too) with the "Security Profile: High (Above C2)" I know it installs the
    >>>TCB Subsystem (Trusted Computer Base Subsystem) which has native support
    >>>for password history, and all manners of restrictions and locks, etc.

    >>
    >>>I advice you TCB is going to give you headaches a plenty...

    >>
    >>i dont' see anyplace documented that C2/TCB uses password history.
    >>
    >>anyone out there have security profile set to High that can verify
    >>password history is used? i don't want to break everything (and looks
    >>like a lot would break if i changed) for nothing.

    >
    >
    > C2 and the TCB do not implement password history.
    >


    I checked my notes from a past "experience" with OpenServer and I see I
    was wrong. In my notes I see that if you make a "Security Profile: High
    (Above C2)" install, then the system forces you to change the password
    periodically AND to accept the new random password it generates for you
    when the time for change arrives. The result is the same as password
    history, i.e. the user cannot reuse an old password.

    The users are going to revolt hideously, too.

    I had to disable that with the command:

    # usermod -D -x "{passwordChooseOwn 1}"

    and then for each already created user:

    # usermod -x "{passwordChooseOwn 1}" user01


    So there you go.

  16. Re: Password History

    Joe Chasan wrote:
    >
    > On Wed, Aug 20, 2008 at 12:46:15AM -0700, bonixsas@gmail.com wrote:
    > > On 19 Aug, 21:49, Joe Chasan wrote:
    > > > On Tue, Aug 19, 2008 at 07:36:35AM -0700, bonix...@gmail.com wrote:
    > > > > On 15 Aug, 21:45, Joe Chasan wrote:
    > > > > > Any easy way to implement password history - e.g. user can't re-use last X
    > > > > > passwords, where X is a configurable parameter?
    > > >
    > > > > > After an IT audit, auditors were surprised this was not implemented in
    > > > > > SCO OpenServer (6.0/mp2)
    > > >
    > > > > One option you have is to script around goodpw(ADM) to
    > > > > implement this. See the man page at:
    > > >
    > > > >http://osr600doc.sco.com/en/man/html...oodpw.ADM.html
    > > >
    > > > not sure what you are suggesting - if i wrote my own script wraparound
    > > > to goodpw to also check to my own homegrown history tool after regular
    > > > goodpw checks, wouldn't i have to store stuff in plain text?

    > >
    > > Joe,
    > >
    > > You have the option to use crypt(S) if you wish?

    >
    > yes, true - i guess my real issue is whether a homegrown hack of my
    > own would suffice when it was expected it to be provided by application
    > OS. All this came up via an IT audit by outside auditor Ernst & Young.
    > They ask for copies of files, settings, etc, as proof of all and i guess
    > they expect features common in windows world.
    >
    > --
    > -Joe Chasan- Magnatech Business Systems, Inc.
    > joe - at - magnatechonline -dot- com Hicksville, NY - USA
    > http://www.MagnatechOnline.com Tel.(516) 931-4444/Fax.(516) 931-1264


    Joe,

    Have a look at npasswd-2.05.

    The following is a copy of a submission I sent to Ron Record at SCO asking
    him to consider adding npasswd to the the SCO Skunkware library and describing the
    problems I encountered trying to compile it myself.

    I got password somewhat working but had problems so I never installed it on
    my client's system. It does have a configurable password history depth
    setting to prevent users from reusing passwords

    -------- Original Message --------
    Subject: Submit npasswd-2.05 for possible addition to SCO Skunkware library
    Date: Fri, 08 Sep 2006 17:17:05 -0500
    From: "Steve M. Fabac, Jr."
    Organization: S.M. Fabac & Associates
    To: rr@sco.com

    Ron:

    I spoke to you at SCO Forum 2006 about adding npasswd-2.05 to the
    SCO Skunkware library and you asked me to mail my results in trying to
    compile it.

    With the changes below, I have a somewhat working version of npasswd.
    However, it breaks the SCO symlink structure on /etc/passwd, /etc/shadow,
    and /etc/group when it is used to change a users' password.

    Npasswd-2.05 does not like the SCO symlink structure and requires that
    when you run "sh Configure" you specify the target of /etc/passwd
    symlink (enter /var/opt/K/SCO/Unix/5.0.7Hw/etc/passwd) when answering
    the Configure script:

    > ### Including support for System 5 shadow passwords
    >
    > ### Found passwd files
    > "/etc/passwd"
    >
    > Change passwd file list? [n] y
    > Enter passwd file names, end with blank line
    > Passwd file: [-] /var/opt/K/SCO/Unix/5.0.7Hw/etc/passwd


    Also, I had to specify additional libraries:
    > On some systems, mostly System V Release 3's, the shared library is included
    > by putting the option "-lc_s" as the last thing on the cc command line when
    > linking. Other systems use shared libraries by default. There may be other
    > libraries needed to compile npasswd on your machine as well. If your system
    > needs the "-lc_s" option, include it here. Include any other special libraries
    > here as well. Say "none" for none.
    >
    > Any additional libraries? [-lsocket -lndbm -lc_s -lrpcsvc]


    Most other questions I accepted the default except for NIS and
    "Replace system programs?":

    > ### This system has NIS (YP).
    >
    > Do you want to include NIS support? [y] n
    >
    > There are some functions that npasswd cannot perform, or
    > are best done by the vendor passwd/chfn/chsh programs.
    >
    > These will be moved to a restricted access area if
    > you choose the "replace system programs" option.
    >
    > Replace system programs? [y] n



    Ooops, while compiling this list, I walked through the changes in
    my new working directory /tmp/npasswd-2.05 to verify that everything
    works and I get this error that I don't remember getting on my
    system running with MP4 (currently have MP5 installed after removing
    MP4)

    > cc -c -DNO_PROTOTYPE -D_NO_PROTO -DOS_NAME=sco_sv -DOS_MAJOR_VERSION=3 -
    > DOS_MINOR_VERSION=2 -I.. -I../.. -I../Common -Icracklib -O pwck_local.c
    > UX:i386acomp: ERROR: "/usr/include/netdb.h", line 98: error: missing operand


    I verified the problem by running "make clean" and then make in my original
    development directory: /app2/cd/npasswd/npasswd-2.05:

    > /bin/rm -f pwck_local.o
    > cc -c -DNO_PROTOTYPE -D_NO_PROTO -DOS_NAME=sco_sv -DOS_MAJOR_VERSION=3 -
    > DOS_MINOR_VERSION=2 -I.. -I../.. -I../Common -Icracklib -g -DCDEBUG=1 pwck_loca
    > l.c
    > UX:i386acomp: ERROR: "/usr/include/netdb.h", line 98: error: missing operand


    So I need to find netdb.h distributed with MP4 and check to see what is the difference.
    Well, that's not the problem: I extracted netdb.h from MP4 and it is identical to
    netdb.h in MP5. I'll have to keep looking but I'll ship this e-mail off to you.

    In addition, npasswd-2.05 does not interface with the SCO TCB data files.

    If I search for TCB in the distro's files, I find a reference to OSF1
    but I don't know how to find the information to add the check for
    SCO TCB and the right calls:

    # find . -type f -print | xargs grep TCB
    ../npasswd-2.05/src/compatibility.h:# define OSF1_TCB "/tcb"
    ../npasswd-2.05/src/PasswordCheck/hist_osf.c: if (access(OSF1_TCB, 0) < 0)
    /* AuthDB not in use */
    ../npasswd-2.05/src/PasswordCheck/hist_osf.c: if (access(OSF1_TCB, 0) < 0)
    /* AuthDB not in use */
    ../npasswd-2.05/src/Common/pw_svc.c: if (access(OSF1_TCB, 0) == 0) {
    #




    < Orig npasswd-2.05 is unpacked from tar archive, no other changes
    mi
    npasswd-2.05 modified) is latest version with smf modifications >
    (may also represent configuration changes created when running
    sh Configure in the top level npasswd-2.05 build tree)




    Compatibility.h modified to add SCO PATHSIZE for undefined npasswd MAXPATHLEN

    I don't remember why I commented out I_SYS_TIME except as cut and try to
    track down why npasswd clears TZ and stamps records in GMT time.



    90c90
    < #ifdef I_SYS_TIME
    ---
    > /*#ifdef I_SYS_TIME */

    92c92
    < #else
    ---
    > /*#else

    94c94
    < #endif
    ---
    > #endif */

    156a157,160
    > #endif
    >
    > #ifndef MAXPATHLEN
    > # define MAXPATHLEN PATHSIZE





    Likewise, modifications to main.c is attempt to have npasswd respect the
    system TZ value set and not stamp password change times in GMT

    < orig ./npasswd-2.05/src/main.c /app2/cd/npasswd/./npasswd-2.05/src/main.c (modified)>
    51a52,53
    > #include
    > #include

    68a71
    > private char *bob;

    609a613,614
    > char *ip;
    > char *TZ = "NZ=TESTME";

    639a645
    > ip = getenv ("TZ"); /* save TZ from environment */

    640a647,649
    > sprintf(TZ, "TZ=%s", ip);
    > putenv (TZ ); /* restoe TZ to environment */
    >




    The following modifications is attempt to prevent npasswd using GMT time
    stamp on the "time of password change"

    < orig ./npasswd-2.05/src/passwd.c /app2/cd/npasswd/./npasswd-2.05/src/passwd.c (modified)>
    119c119,121
    < lt = gmtime(&theUser->pwage.last_change);
    ---
    > lt = ctime(&theUser->pwage.last_change);
    > lt = ctime(&theUser->pwage.last_change);
    > /* lt = gmtime(&theUser->pwage.last_change); smf */

    171c173,174
    < lt = (struct tm *)gmtime(&timen);
    ---
    > /* lt = (struct tm *)gmtime(&timen); smf mod */
    > lt = (struct tm *)ctime(&timen);

    240a244,246
    > /* Add code to test for min change time
    > * if found the print message and die
    > */




    Same for modifications to pwck_history.c use local TZ and not GMT.
    "it is not old enough\n" modification to pretty up output.

    < orig ./npasswd-2.05/src/PasswordCheck/pwck_history.c /app2/cd/npasswd/./npasswd-2.05/src/PasswordCheck/pwck_history.c (modified)>
    65a66,67
    >
    >

    74a77
    > #include

    100a104,107
    > /* extern time_t timezone, altzone;
    > extern int daylight;
    > extern char *tzname[2];
    > char bob ; */

    102c109,110
    < #define MSG_REUSE "it is not old enough (last used %s)"
    ---
    >
    > #define MSG_REUSE "it is not old enough\n(last used %s)"

    500c508
    <
    ---
    > tzset();

    502c510,512
    < pwtime = (time_t )atol(t);
    ---
    > /* pwtime = atol(t); */
    > pwtime = (time_t )atol(t);
    > /* bob = (time_t )atol(t); */

    505c515,516
    < char *ct = ctime(&pwtime);
    ---
    > /* char *ct = asctime(localtime(&pwtime)); */
    > char *ct = ctime(&pwtime);

    506a518
    > printf("Hello, world! timezone = %d %d \n", timezone, pwtime );

    508c520
    < (void) sprintf(mesg, MSG_REUSE, &ct[4]);
    ---
    > (void) sprintf(mesg, MSG_REUSE, &ct[4] );





    Hist_dbm.c GMT time vs local TZ again.

    < orig ./npasswd-2.05/src/PasswordCheck/hist_dbm.c /app2/cd/npasswd/./npasswd-2.05/src/PasswordCheck/hist_dbm.c (modified)>
    67a68
    > #include





    IMPORTANT: The following change solves the malloc error in
    npasswd-2.05.tar.gz distro

    < orig ./npasswd-2.05/src/Common/split.c /app2/cd/npasswd/./npasswd-2.05/src/Common/split.c (modified)>
    213c213
    < (unsigned )strlen(string)); /* String data */
    ---
    > (unsigned )strlen(string) + 1); /* String data */






    The following differences relate to specifying DEBUG in Configuration:

    < orig ./npasswd-2.05/src/Makefile.local /app2/cd/npasswd/./npasswd-2.05/src/Makefile.local (modified)>
    0a1,2
    > X_LOCAL_CFLAGS = -i -DCDEBUG=1
    > X_COPT=





    < orig ./npasswd-2.05/src/Common/Makefile.local /app2/cd/npasswd/./npasswd-2.05/src/Common/Makefile.local (modified)>
    0a1,2
    > X_LOCAL_CFLAGS = -g -DCDEBUG=1
    > X_COPT=




    < orig ./npasswd-2.05/src/Methods/Makefile.local /app2/cd/npasswd/./npasswd-2.05/src/Methods/Makefile.local (modified)>
    0a1,2
    > X_LOCAL_CFLAGS = -g -DCDEBUG=1
    > X_COPT=





    < orig ./npasswd-2.05/src/PasswordCheck/cracklib/Makefile.local /app2/cd/npasswd/./npasswd-2.05/src/PasswordCheck/cracklib/Makefile.local (modified)>
    0a1,2
    > X_LOCAL_CFLAGS = -g -DCDEBUG=1
    > X_COPT=






    < orig ./npasswd-2.05/src/PasswordCheck/Makefile.local /app2/cd/npasswd/./npasswd-2.05/src/PasswordCheck/Makefile.local (modified)>
    0a1,2
    > X_LOCAL_CFLAGS = -g -DCDEBUG=1
    > X_COPT=



    Excerpt of last message posed on the comp.unix.sco.misc news group
    Included for additional information only. The changes above to
    solve the malloc problem were installed on May 5.

    -------- Original Message --------
    Subject: Need help trying to compile npasswd-2.05
    Date: Tue, 02 May 2006 19:45:53 GMT
    From: "Steve M. Fabac, Jr."
    Organization: S.M. Fabac & Associates
    To: distribution@xenitec.on.ca
    Newsgroups: comp.unix.sco.misc

    I am trying to compile npasswd-2.05 on SCO 5.0.7:

    ||*GNU Development Tools (ver 5.0.7g) ||
    || SCO OpenServer Enterprise System (ver 5.0.7Hw) ||
    || SCO OpenServer Linker and Application Development Libraries (ver 5.2.0Aa) ||
    || SCO Symmetrical Multiprocessing (ver 1.1.1Hw) ||
    || Samba 3.0.20a File and Print Server (ver 3.0.20Ab) ||
    || Squid Proxy Cache 2.5.STABLE12 (ver 5.0.7Hd) ||
    || SCO OpenServer Release 5.0.7 Maintenance Pack 4 (ver 1.0.0Lb)

    and with Bela's suggestions on libraries, have gotten it to compile but
    it does not work properly and dumps core when used to change a users password
    for the second time.

    The reason for investigating npasswd is to obtain the facility to prevent
    users from re-using any of their last four passwords.

    I ran ./Configure and worked through the steps to configure the make script
    with choices as seemed appropriate. Most things I left at default as discovered
    by Configure but I specified "NO" to replace system files: With "NO" make install
    creates /usr/lib/passwd and installs npasswd and its support utilities therein.
    With "YES" make install will replace /bin/passwd with the compiled npasswd
    executable and move the OS passwd and support files to /usr/lib/passwd/system
    where it will call them as needed.

    With the changes I made to get npasswd to compile, the /usr/lib/passwd/npasswd
    executable will change a users password (updating /etc/passwd & /etc/shadow) but
    not changing the tcb passwd information:

    Sun Apr 30 23:46:31 CDT 2006
    # npasswd smf


    Changing password for smf on unix.smfabac.com
    New password (? for help):
    New password (again):
    Local password changed for smf on unix.smfabac.com
    Local password aging changed for smf on unix.smfabac.com
    # date
    Sun Apr 30 23:47:00 CDT 2006
    # echo $TZ
    CST6CDT
    #
    # userls -A -l smf
    smf {pw_name smf} {pw_uid 200} {loginGroup group} {pw_gid 50} {pw_di
    r /u/smf} {pw_shell /bin/sh} {groups group} {groupsForLogins {}} {auditFlags {0
    0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0}} {mode 16877} {noPassword 0} {comment {St
    eve Fabac; S.M. Fabac & Associates 816-765-1670}} {passwdSuccessfulChangeTime 11
    46441600} {lastSuccessfulLoginTime 1146441600} {administrativeLockApplied 0} {pa

    # l -lt /etc/passwd
    -rw-rw-r-- 1 bin auth 1006 Apr 30 23:52 /etc/passwd@

    # cat history.pag
    n SrBINT9XC30Mw,1146458817smf

    Converting 1146458817 UNIX time results in: Mon, 1 May 2006 04:46:57 UTC


    The above output of userls shows that the passwdSuccessfulChangeTime is 1146441600 and is the
    same as the lastSuccessfulLoginTime (?). Converting from UNIX time to date
    calculator I get: Mon, 1 May 2006 00:00:00 UTC with scoadmin -> account manager
    showing:

    |
    | +------------------ unix: User Password Expiration: smf -------------------+ |
    | | |||
    | | Last Successful Change: Sun Apr 30 19:00:00 CDT 2006 |||

    So npasswd does not update SCO's internal information for password aging.

    That may make it unusable for the client as they are on a 90-day cycle to
    require users to set new passwords.

    --

    Steve Fabac
    S.M. Fabac & Associates
    816/765-1670

  17. Re: Password History

    On Wed, Aug 27, 2008 at 09:09:12PM -0500, Steve M. Fabac, Jr. wrote:
    > Joe Chasan wrote:
    > >
    > > On Wed, Aug 20, 2008 at 12:46:15AM -0700, bonixsas@gmail.com wrote:
    > > > On 19 Aug, 21:49, Joe Chasan wrote:
    > > > > On Tue, Aug 19, 2008 at 07:36:35AM -0700, bonix...@gmail.com wrote:
    > > > > > On 15 Aug, 21:45, Joe Chasan wrote:
    > > > > > > Any easy way to implement password history - e.g. user can't re-use last X
    > > > > > > passwords, where X is a configurable parameter?
    > > > >
    > > > > > > After an IT audit, auditors were surprised this was not implemented in
    > > > > > > SCO OpenServer (6.0/mp2)
    > > > >
    > > > > > One option you have is to script around goodpw(ADM) to
    > > > > > implement this. See the man page at:
    > > > >
    > > > > >http://osr600doc.sco.com/en/man/html...oodpw.ADM.html
    > > > >
    > > > > not sure what you are suggesting - if i wrote my own script wraparound
    > > > > to goodpw to also check to my own homegrown history tool after regular
    > > > > goodpw checks, wouldn't i have to store stuff in plain text?
    > > >
    > > > Joe,
    > > >
    > > > You have the option to use crypt(S) if you wish?

    > >
    > > yes, true - i guess my real issue is whether a homegrown hack of my
    > > own would suffice when it was expected it to be provided by application
    > > OS. All this came up via an IT audit by outside auditor Ernst & Young.
    > > They ask for copies of files, settings, etc, as proof of all and i guess
    > > they expect features common in windows world.
    > >
    > > --
    > > -Joe Chasan- Magnatech Business Systems, Inc.
    > > joe - at - magnatechonline -dot- com Hicksville, NY - USA
    > > http://www.MagnatechOnline.com Tel.(516) 931-4444/Fax.(516) 931-1264

    >
    > Joe,
    >
    > Have a look at npasswd-2.05.


    I had looked at npasswd a while back - my main concern is if i used
    something other than passwd(C) to change password that such changes would
    not be reflected in the tcb file reports that users get from scoadmin menu.

    > The following is a copy of a submission I sent to Ron Record at SCO asking
    > him to consider adding npasswd to the the SCO Skunkware library and describing the
    > problems I encountered trying to compile it myself.
    >
    > I got password somewhat working but had problems so I never installed it on
    > my client's system. It does have a configurable password history depth
    > setting to prevent users from reusing passwords
    >
    > -------- Original Message --------
    > Subject: Submit npasswd-2.05 for possible addition to SCO Skunkware library
    > Date: Fri, 08 Sep 2006 17:17:05 -0500
    > From: "Steve M. Fabac, Jr."
    > Organization: S.M. Fabac & Associates
    > To: rr@sco.com
    >
    > Ron:
    >
    > I spoke to you at SCO Forum 2006 about adding npasswd-2.05 to the
    > SCO Skunkware library and you asked me to mail my results in trying to
    > compile it.
    >
    > With the changes below, I have a somewhat working version of npasswd.
    > However, it breaks the SCO symlink structure on /etc/passwd, /etc/shadow,
    > and /etc/group when it is used to change a users' password.
    >
    > Npasswd-2.05 does not like the SCO symlink structure and requires that
    > when you run "sh Configure" you specify the target of /etc/passwd
    > symlink (enter /var/opt/K/SCO/Unix/5.0.7Hw/etc/passwd) when answering
    > the Configure script:
    >
    > > ### Including support for System 5 shadow passwords
    > >
    > > ### Found passwd files
    > > "/etc/passwd"
    > >
    > > Change passwd file list? [n] y
    > > Enter passwd file names, end with blank line
    > > Passwd file: [-] /var/opt/K/SCO/Unix/5.0.7Hw/etc/passwd

    >
    > Also, I had to specify additional libraries:
    > > On some systems, mostly System V Release 3's, the shared library is included
    > > by putting the option "-lc_s" as the last thing on the cc command line when
    > > linking. Other systems use shared libraries by default. There may be other
    > > libraries needed to compile npasswd on your machine as well. If your system
    > > needs the "-lc_s" option, include it here. Include any other special libraries
    > > here as well. Say "none" for none.
    > >
    > > Any additional libraries? [-lsocket -lndbm -lc_s -lrpcsvc]

    >
    > Most other questions I accepted the default except for NIS and
    > "Replace system programs?":
    >
    > > ### This system has NIS (YP).
    > >
    > > Do you want to include NIS support? [y] n
    > >
    > > There are some functions that npasswd cannot perform, or
    > > are best done by the vendor passwd/chfn/chsh programs.
    > >
    > > These will be moved to a restricted access area if
    > > you choose the "replace system programs" option.
    > >
    > > Replace system programs? [y] n

    >
    >
    > Ooops, while compiling this list, I walked through the changes in
    > my new working directory /tmp/npasswd-2.05 to verify that everything
    > works and I get this error that I don't remember getting on my
    > system running with MP4 (currently have MP5 installed after removing
    > MP4)
    >
    > > cc -c -DNO_PROTOTYPE -D_NO_PROTO -DOS_NAME=sco_sv -DOS_MAJOR_VERSION=3 -
    > > DOS_MINOR_VERSION=2 -I.. -I../.. -I../Common -Icracklib -O pwck_local.c
    > > UX:i386acomp: ERROR: "/usr/include/netdb.h", line 98: error: missing operand

    >
    > I verified the problem by running "make clean" and then make in my original
    > development directory: /app2/cd/npasswd/npasswd-2.05:
    >
    > > /bin/rm -f pwck_local.o
    > > cc -c -DNO_PROTOTYPE -D_NO_PROTO -DOS_NAME=sco_sv -DOS_MAJOR_VERSION=3 -
    > > DOS_MINOR_VERSION=2 -I.. -I../.. -I../Common -Icracklib -g -DCDEBUG=1 pwck_loca
    > > l.c
    > > UX:i386acomp: ERROR: "/usr/include/netdb.h", line 98: error: missing operand

    >
    > So I need to find netdb.h distributed with MP4 and check to see what is the difference.
    > Well, that's not the problem: I extracted netdb.h from MP4 and it is identical to
    > netdb.h in MP5. I'll have to keep looking but I'll ship this e-mail off to you.
    >
    > In addition, npasswd-2.05 does not interface with the SCO TCB data files.
    >
    > If I search for TCB in the distro's files, I find a reference to OSF1
    > but I don't know how to find the information to add the check for
    > SCO TCB and the right calls:
    >
    > # find . -type f -print | xargs grep TCB
    > ./npasswd-2.05/src/compatibility.h:# define OSF1_TCB "/tcb"
    > ./npasswd-2.05/src/PasswordCheck/hist_osf.c: if (access(OSF1_TCB, 0) < 0)
    > /* AuthDB not in use */
    > ./npasswd-2.05/src/PasswordCheck/hist_osf.c: if (access(OSF1_TCB, 0) < 0)
    > /* AuthDB not in use */
    > ./npasswd-2.05/src/Common/pw_svc.c: if (access(OSF1_TCB, 0) == 0) {
    > #
    >
    >
    >
    >
    > < Orig npasswd-2.05 is unpacked from tar archive, no other changes
    > mi
    > npasswd-2.05 modified) is latest version with smf modifications >
    > (may also represent configuration changes created when running
    > sh Configure in the top level npasswd-2.05 build tree)
    >
    >
    >
    >
    > Compatibility.h modified to add SCO PATHSIZE for undefined npasswd MAXPATHLEN
    >
    > I don't remember why I commented out I_SYS_TIME except as cut and try to
    > track down why npasswd clears TZ and stamps records in GMT time.
    >
    >
    >
    > 90c90
    > < #ifdef I_SYS_TIME
    > ---
    > > /*#ifdef I_SYS_TIME */

    > 92c92
    > < #else
    > ---
    > > /*#else

    > 94c94
    > < #endif
    > ---
    > > #endif */

    > 156a157,160
    > > #endif
    > >
    > > #ifndef MAXPATHLEN
    > > # define MAXPATHLEN PATHSIZE

    >
    >
    >
    >
    > Likewise, modifications to main.c is attempt to have npasswd respect the
    > system TZ value set and not stamp password change times in GMT
    >
    > < orig ./npasswd-2.05/src/main.c /app2/cd/npasswd/./npasswd-2.05/src/main.c (modified)>
    > 51a52,53
    > > #include
    > > #include

    > 68a71
    > > private char *bob;

    > 609a613,614
    > > char *ip;
    > > char *TZ = "NZ=TESTME";

    > 639a645
    > > ip = getenv ("TZ"); /* save TZ from environment */

    > 640a647,649
    > > sprintf(TZ, "TZ=%s", ip);
    > > putenv (TZ ); /* restoe TZ to environment */
    > >

    >
    >
    >
    > The following modifications is attempt to prevent npasswd using GMT time
    > stamp on the "time of password change"
    >
    > < orig ./npasswd-2.05/src/passwd.c /app2/cd/npasswd/./npasswd-2.05/src/passwd.c (modified)>
    > 119c119,121
    > < lt = gmtime(&theUser->pwage.last_change);
    > ---
    > > lt = ctime(&theUser->pwage.last_change);
    > > lt = ctime(&theUser->pwage.last_change);
    > > /* lt = gmtime(&theUser->pwage.last_change); smf */

    > 171c173,174
    > < lt = (struct tm *)gmtime(&timen);
    > ---
    > > /* lt = (struct tm *)gmtime(&timen); smf mod */
    > > lt = (struct tm *)ctime(&timen);

    > 240a244,246
    > > /* Add code to test for min change time
    > > * if found the print message and die
    > > */

    >
    >
    >
    > Same for modifications to pwck_history.c use local TZ and not GMT.
    > "it is not old enough\n" modification to pretty up output.
    >
    > < orig ./npasswd-2.05/src/PasswordCheck/pwck_history.c /app2/cd/npasswd/./npasswd-2.05/src/PasswordCheck/pwck_history.c (modified)>
    > 65a66,67
    > >
    > >

    > 74a77
    > > #include

    > 100a104,107
    > > /* extern time_t timezone, altzone;
    > > extern int daylight;
    > > extern char *tzname[2];
    > > char bob ; */

    > 102c109,110
    > < #define MSG_REUSE "it is not old enough (last used %s)"
    > ---
    > >
    > > #define MSG_REUSE "it is not old enough\n(last used %s)"

    > 500c508
    > <
    > ---
    > > tzset();

    > 502c510,512
    > < pwtime = (time_t )atol(t);
    > ---
    > > /* pwtime = atol(t); */
    > > pwtime = (time_t )atol(t);
    > > /* bob = (time_t )atol(t); */

    > 505c515,516
    > < char *ct = ctime(&pwtime);
    > ---
    > > /* char *ct = asctime(localtime(&pwtime)); */
    > > char *ct = ctime(&pwtime);

    > 506a518
    > > printf("Hello, world! timezone = %d %d \n", timezone, pwtime );

    > 508c520
    > < (void) sprintf(mesg, MSG_REUSE, &ct[4]);
    > ---
    > > (void) sprintf(mesg, MSG_REUSE, &ct[4] );

    >
    >
    >
    >
    > Hist_dbm.c GMT time vs local TZ again.
    >
    > < orig ./npasswd-2.05/src/PasswordCheck/hist_dbm.c /app2/cd/npasswd/./npasswd-2.05/src/PasswordCheck/hist_dbm.c (modified)>
    > 67a68
    > > #include

    >
    >
    >
    >
    > IMPORTANT: The following change solves the malloc error in
    > npasswd-2.05.tar.gz distro
    >
    > < orig ./npasswd-2.05/src/Common/split.c /app2/cd/npasswd/./npasswd-2.05/src/Common/split.c (modified)>
    > 213c213
    > < (unsigned )strlen(string)); /* String data */
    > ---
    > > (unsigned )strlen(string) + 1); /* String data */

    >
    >
    >
    >
    >
    > The following differences relate to specifying DEBUG in Configuration:
    >
    > < orig ./npasswd-2.05/src/Makefile.local /app2/cd/npasswd/./npasswd-2.05/src/Makefile.local (modified)>
    > 0a1,2
    > > X_LOCAL_CFLAGS = -i -DCDEBUG=1
    > > X_COPT=

    >
    >
    >
    >
    > < orig ./npasswd-2.05/src/Common/Makefile.local /app2/cd/npasswd/./npasswd-2.05/src/Common/Makefile.local (modified)>
    > 0a1,2
    > > X_LOCAL_CFLAGS = -g -DCDEBUG=1
    > > X_COPT=

    >
    >
    >
    > < orig ./npasswd-2.05/src/Methods/Makefile.local /app2/cd/npasswd/./npasswd-2.05/src/Methods/Makefile.local (modified)>
    > 0a1,2
    > > X_LOCAL_CFLAGS = -g -DCDEBUG=1
    > > X_COPT=

    >
    >
    >
    >
    > < orig ./npasswd-2.05/src/PasswordCheck/cracklib/Makefile.local /app2/cd/npasswd/./npasswd-2.05/src/PasswordCheck/cracklib/Makefile.local (modified)>
    > 0a1,2
    > > X_LOCAL_CFLAGS = -g -DCDEBUG=1
    > > X_COPT=

    >
    >
    >
    >
    >
    > < orig ./npasswd-2.05/src/PasswordCheck/Makefile.local /app2/cd/npasswd/./npasswd-2.05/src/PasswordCheck/Makefile.local (modified)>
    > 0a1,2
    > > X_LOCAL_CFLAGS = -g -DCDEBUG=1
    > > X_COPT=

    >
    >
    > Excerpt of last message posed on the comp.unix.sco.misc news group
    > Included for additional information only. The changes above to
    > solve the malloc problem were installed on May 5.
    >
    > -------- Original Message --------
    > Subject: Need help trying to compile npasswd-2.05
    > Date: Tue, 02 May 2006 19:45:53 GMT
    > From: "Steve M. Fabac, Jr."
    > Organization: S.M. Fabac & Associates
    > To: distribution@xenitec.on.ca
    > Newsgroups: comp.unix.sco.misc
    >
    > I am trying to compile npasswd-2.05 on SCO 5.0.7:
    >
    > ||*GNU Development Tools (ver 5.0.7g) ||
    > || SCO OpenServer Enterprise System (ver 5.0.7Hw) ||
    > || SCO OpenServer Linker and Application Development Libraries (ver 5.2.0Aa) ||
    > || SCO Symmetrical Multiprocessing (ver 1.1.1Hw) ||
    > || Samba 3.0.20a File and Print Server (ver 3.0.20Ab) ||
    > || Squid Proxy Cache 2.5.STABLE12 (ver 5.0.7Hd) ||
    > || SCO OpenServer Release 5.0.7 Maintenance Pack 4 (ver 1.0.0Lb)
    >
    > and with Bela's suggestions on libraries, have gotten it to compile but
    > it does not work properly and dumps core when used to change a users password
    > for the second time.
    >
    > The reason for investigating npasswd is to obtain the facility to prevent
    > users from re-using any of their last four passwords.
    >
    > I ran ./Configure and worked through the steps to configure the make script
    > with choices as seemed appropriate. Most things I left at default as discovered
    > by Configure but I specified "NO" to replace system files: With "NO" make install
    > creates /usr/lib/passwd and installs npasswd and its support utilities therein.
    > With "YES" make install will replace /bin/passwd with the compiled npasswd
    > executable and move the OS passwd and support files to /usr/lib/passwd/system
    > where it will call them as needed.
    >
    > With the changes I made to get npasswd to compile, the /usr/lib/passwd/npasswd
    > executable will change a users password (updating /etc/passwd & /etc/shadow) but
    > not changing the tcb passwd information:
    >
    > Sun Apr 30 23:46:31 CDT 2006
    > # npasswd smf
    >
    >
    > Changing password for smf on unix.smfabac.com
    > New password (? for help):
    > New password (again):
    > Local password changed for smf on unix.smfabac.com
    > Local password aging changed for smf on unix.smfabac.com
    > # date
    > Sun Apr 30 23:47:00 CDT 2006
    > # echo $TZ
    > CST6CDT
    > #
    > # userls -A -l smf
    > smf {pw_name smf} {pw_uid 200} {loginGroup group} {pw_gid 50} {pw_di
    > r /u/smf} {pw_shell /bin/sh} {groups group} {groupsForLogins {}} {auditFlags {0
    > 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0}} {mode 16877} {noPassword 0} {comment {St
    > eve Fabac; S.M. Fabac & Associates 816-765-1670}} {passwdSuccessfulChangeTime 11
    > 46441600} {lastSuccessfulLoginTime 1146441600} {administrativeLockApplied 0} {pa
    >
    > # l -lt /etc/passwd
    > -rw-rw-r-- 1 bin auth 1006 Apr 30 23:52 /etc/passwd@
    >
    > # cat history.pag
    > n SrBINT9XC30Mw,1146458817smf
    >
    > Converting 1146458817 UNIX time results in: Mon, 1 May 2006 04:46:57 UTC
    >
    >
    > The above output of userls shows that the passwdSuccessfulChangeTime is 1146441600 and is the
    > same as the lastSuccessfulLoginTime (?). Converting from UNIX time to date
    > calculator I get: Mon, 1 May 2006 00:00:00 UTC with scoadmin -> account manager
    > showing:
    >
    > |
    > | +------------------ unix: User Password Expiration: smf -------------------+ |
    > | | |||
    > | | Last Successful Change: Sun Apr 30 19:00:00 CDT 2006 |||
    >
    > So npasswd does not update SCO's internal information for password aging.
    >
    > That may make it unusable for the client as they are on a 90-day cycle to
    > require users to set new passwords.
    >
    > --
    >
    > Steve Fabac
    > S.M. Fabac & Associates
    > 816/765-1670
    >

    --
    -Joe Chasan- Magnatech Business Systems, Inc.
    joe - at - magnatechonline -dot- com Hicksville, NY - USA
    http://www.MagnatechOnline.com Tel.(516) 931-4444/Fax.(516) 931-1264

  18. Re: Password History


    Joe Chasan wrote:
    > Any easy way to implement password history - e.g. user can't re-use last X
    > passwords, where X is a configurable parameter?
    >
    > After an IT audit, auditors were surprised this was not implemented in
    > SCO OpenServer (6.0/mp2)
    >


    Maybe you could appease your auditors by replacing Telnet etc with SSH
    using public key authentication?

    --
    RGB

  19. Re: Password History

    Joe Chasan wrote:
    > On Wed, Aug 27, 2008 at 09:09:12PM -0500, Steve M. Fabac, Jr. wrote:
    >> Joe Chasan wrote:
    >>> On Wed, Aug 20, 2008 at 12:46:15AM -0700, bonixsas@gmail.com wrote:
    >>>> On 19 Aug, 21:49, Joe Chasan wrote:
    >>>>> On Tue, Aug 19, 2008 at 07:36:35AM -0700, bonix...@gmail.com wrote:
    >>>>>> On 15 Aug, 21:45, Joe Chasan wrote:
    >>>>>>> Any easy way to implement password history - e.g. user can't re-use last X
    >>>>>>> passwords, where X is a configurable parameter?
    >>>>>>> After an IT audit, auditors were surprised this was not implemented in
    >>>>>>> SCO OpenServer (6.0/mp2)
    >>>>>> One option you have is to script around goodpw(ADM) to
    >>>>>> implement this. See the man page at:
    >>>>>> http://osr600doc.sco.com/en/man/html...oodpw.ADM.html
    >>>>> not sure what you are suggesting - if i wrote my own script wraparound
    >>>>> to goodpw to also check to my own homegrown history tool after regular
    >>>>> goodpw checks, wouldn't i have to store stuff in plain text?
    >>>> Joe,
    >>>>
    >>>> You have the option to use crypt(S) if you wish?
    >>> yes, true - i guess my real issue is whether a homegrown hack of my
    >>> own would suffice when it was expected it to be provided by application
    >>> OS. All this came up via an IT audit by outside auditor Ernst & Young.
    >>> They ask for copies of files, settings, etc, as proof of all and i guess
    >>> they expect features common in windows world.
    >>>
    >>> --
    >>> -Joe Chasan- Magnatech Business Systems, Inc.
    >>> joe - at - magnatechonline -dot- com Hicksville, NY - USA
    >>> http://www.MagnatechOnline.com Tel.(516) 931-4444/Fax.(516) 931-1264

    >> Joe,
    >>
    >> Have a look at npasswd-2.05.

    >
    > I had looked at npasswd a while back - my main concern is if i used
    > something other than passwd(C) to change password that such changes would
    > not be reflected in the tcb file reports that users get from scoadmin menu.


    Exactly my concern and why I submitted my work to Ron at SCO as a candidate
    for inclusion in the Skunkware library. With Ron's experience and resources,
    he should be able to modify npasswd to update the TCB files. Npasswd suggests
    that it is possible as the test for OSF1 tcb is listed in its code.

    I'm not a c programmer and the changes I muddled through were hard won with
    help from Bela and others.

    I don't know if Ron is still at SCO or if there is any interest at SCO in
    adding new programs to Skunkware. Anyone interested in npasswd might encourage
    its addition by sending a vote for it to rr@sco.com

    >
    >> The following is a copy of a submission I sent to Ron Record at SCO asking
    >> him to consider adding npasswd to the the SCO Skunkware library and describing the
    >> problems I encountered trying to compile it myself.
    >>
    >> I got password somewhat working but had problems so I never installed it on
    >> my client's system. It does have a configurable password history depth
    >> setting to prevent users from reusing passwords

    ....
    >> In addition, npasswd-2.05 does not interface with the SCO TCB data files.
    >>
    >> If I search for TCB in the distro's files, I find a reference to OSF1
    >> but I don't know how to find the information to add the check for
    >> SCO TCB and the right calls:
    >>
    >> # find . -type f -print | xargs grep TCB
    >> ./npasswd-2.05/src/compatibility.h:# define OSF1_TCB "/tcb"
    >> ./npasswd-2.05/src/PasswordCheck/hist_osf.c: if (access(OSF1_TCB, 0) < 0)
    >> /* AuthDB not in use */
    >> ./npasswd-2.05/src/PasswordCheck/hist_osf.c: if (access(OSF1_TCB, 0) < 0)
    >> /* AuthDB not in use */
    >> ./npasswd-2.05/src/Common/pw_svc.c: if (access(OSF1_TCB, 0) == 0) {
    >> #

    ....
    > --
    > -Joe Chasan- Magnatech Business Systems, Inc.
    > joe - at - magnatechonline -dot- com Hicksville, NY - USA
    > http://www.MagnatechOnline.com Tel.(516) 931-4444/Fax.(516) 931-1264
    >
    >


    --
    Steve Fabac
    S.M. Fabac & Associates
    816/765-1670

  20. Re: Password History

    Steve M. Fabac, Jr. wrote:
    > Joe Chasan wrote:
    >> On Wed, Aug 27, 2008 at 09:09:12PM -0500, Steve M. Fabac, Jr. wrote:
    >>> Joe Chasan wrote:
    >>>> On Wed, Aug 20, 2008 at 12:46:15AM -0700, bonixsas@gmail.com wrote:
    >>>>> On 19 Aug, 21:49, Joe Chasan wrote:
    >>>>>> On Tue, Aug 19, 2008 at 07:36:35AM -0700, bonix...@gmail.com wrote:
    >>>>>>> On 15 Aug, 21:45, Joe Chasan wrote:
    >>>>>>>> Any easy way to implement password history - e.g. user can't
    >>>>>>>> re-use last X
    >>>>>>>> passwords, where X is a configurable parameter?
    >>>>>>>> After an IT audit, auditors were surprised this was not
    >>>>>>>> implemented in
    >>>>>>>> SCO OpenServer (6.0/mp2)
    >>>>>>> One option you have is to script around goodpw(ADM) to
    >>>>>>> implement this. See the man page at:
    >>>>>>> http://osr600doc.sco.com/en/man/html...oodpw.ADM.html
    >>>>>> not sure what you are suggesting - if i wrote my own script
    >>>>>> wraparound
    >>>>>> to goodpw to also check to my own homegrown history tool after
    >>>>>> regular
    >>>>>> goodpw checks, wouldn't i have to store stuff in plain text?
    >>>>> Joe,
    >>>>>
    >>>>> You have the option to use crypt(S) if you wish?
    >>>> yes, true - i guess my real issue is whether a homegrown hack of my
    >>>> own would suffice when it was expected it to be provided by application
    >>>> OS. All this came up via an IT audit by outside auditor Ernst &
    >>>> Young.
    >>>> They ask for copies of files, settings, etc, as proof of all and i
    >>>> guess
    >>>> they expect features common in windows world.
    >>>>
    >>>> --
    >>>> -Joe Chasan- Magnatech Business Systems, Inc.
    >>>> joe - at - magnatechonline -dot- com Hicksville, NY - USA
    >>>> http://www.MagnatechOnline.com Tel.(516) 931-4444/Fax.(516)
    >>>> 931-1264
    >>> Joe,
    >>>
    >>> Have a look at npasswd-2.05.

    >>
    >> I had looked at npasswd a while back - my main concern is if i used
    >> something other than passwd(C) to change password that such changes would
    >> not be reflected in the tcb file reports that users get from scoadmin
    >> menu.

    >
    > Exactly my concern and why I submitted my work to Ron at SCO as a candidate
    > for inclusion in the Skunkware library. With Ron's experience and
    > resources,
    > he should be able to modify npasswd to update the TCB files. Npasswd
    > suggests
    > that it is possible as the test for OSF1 tcb is listed in its code.
    >
    > I'm not a c programmer and the changes I muddled through were hard won with
    > help from Bela and others.
    >
    > I don't know if Ron is still at SCO or if there is any interest at SCO in
    > adding new programs to Skunkware. Anyone interested in npasswd might
    > encourage
    > its addition by sending a vote for it to rr@sco.com


    Yas anyone *mirrored* the Skunkware site, even privately. Aren't they at risk
    as a consequence of the SCO lawsuits?

+ Reply to Thread