Password Validation

denzilsyb · Post by **denzilsyb** » Wed Sep 22, 2004 10:23 am

hallo all

to my amazement today i typed in the username and password to log onto the datastage server via the client and logged in. OK, that was expected; although I knew i had typed the password incorrectly

.

i.e.

username: dsadm
password: passwor (it is supposed to be password)

it turns out that i can type anything as the last letter _/xK2 etc etc. My question is then - how is this being validated on UNIX? How on earth am i getting past the password validation?

kduke · Post by **kduke** » Wed Sep 22, 2004 12:43 pm

What version of UNIX? Just curious. I want to try it here.

kduke · Post by **kduke** » Wed Sep 22, 2004 12:46 pm

By the way the encryption algorithms are supposed to be one way meaning they excrypt what you type in and compare it to what is stored in /etc/passwd or your shadow file. The algorithms are supposed to be different outside of the USA. So your problem should not be valid inside of the USA.

ray.wurlod · Post by **ray.wurlod** » Wed Sep 22, 2004 4:12 pm

Failed here (Australia) with "user name/password incorrect (80011)". Operating system is AIX 5L 5.2, DataStage 7.1. Only the fully correct password would be accepted. Then again, my correct password is only seven characters. Hmm...

denzilsyb · Post by **denzilsyb** » Wed Sep 22, 2004 11:42 pm

kduke wrote:What version of UNIX

yes - something i should have added in my first post! Sun Solaris 9, Sparc Generic_117171-05, netra-T12.

I tried it again this morning just to make sure i was not high on coffee when i posted the concern. Its still happening! I even tried with a SSH session and surprise surprise i can put whatever i want in the as last letter.

kduke wrote:The algorithms are supposed to be different outside of the USA. So your problem should not be valid inside of the USA.

this is an interesting piece of information. except for security, what would be the reason for this?

ray.wurlod wrote:Then again, my correct password is only seven characters

this one is 9 characters long, with the last one being uppercase 3

I am going to have to let the administrators know, hopefully they will put Sun on full alert - or something.

denzilsyb · Post by **denzilsyb** » Thu Sep 23, 2004 2:58 am

denzilsyb wrote:
ray.wurlod wrote:Then again, my correct password is only seven characters
this one is 9 characters long, with the last one being uppercase 3

fancy that - solaris is only interested in the first 8 characters.

lebos · Post by **lebos** » Thu Sep 23, 2004 6:44 am

AIX only looks at 8. And I'm in the US.

I'm no expert, but I thought that was a Unix standard.

Larry

ogmios · Post by **ogmios** » Thu Sep 23, 2004 9:49 am

UNIX passwords are pretty good protection, DataStage is worse: encrypted passwords as arguments to jobs can be reversed at will

So if you give a log file to anyone containing the encrypted password in it, that person can reverse engineer the password.

Ogmios

denzilsyb · Post by **denzilsyb** » Thu Sep 23, 2004 9:53 am

ogmios wrote: So if you give a log file to anyone containing the encrypted password in it, that person can reverse engineer the password.

what? would you mind expanding on this? Or are you just saying that the log file has the password as blatant as daylight - or is there a trick to handling decrypting the encryption?

ogmios · Post by **ogmios** » Thu Sep 23, 2004 9:58 am

what? would you mind expanding on this? Or are you just saying that the log file has the password as blatant as daylight - or is there a trick to handling decrypting the encryption?

UNIX uses single way encryption, only the encrypted version is stored and there's no decryption... you login again, the new password is encrypted and the system checks the 2 encrypted versions, if they match you get in.

DataStage can use encryption for parameters but if you use that password to access e.g. a database DataStage also has to be able to decrypt the password and send it to the database server. So there is a decryption routine somewhere in DataStage.

It takes you about half an hour to reverse engineer how the passwords are encrypted and maybe another half hour to write a decryption routine.

Let's do a game.... give me an encrypted DataStage string and I will decrypt it.

Ogmios

denzilsyb · Post by **denzilsyb** » Thu Sep 23, 2004 10:03 am

ogmios wrote:
Let's do a game.... give me an encrypted DataStage string and I will decrypt it.

only if you post the routine on decrypting :D

here you go:

Code: Select all

LE9@1KVHO9;M0G5I=9J<@K@F

ogmios · Post by **ogmios** » Thu Sep 23, 2004 10:05 am

Code: Select all

LE9@1KVHO9;M0G5I=9J<@K@F

=

Code: Select all

hardcopy

I'm not going to post the code, I don't know how "happy" Ascential would be about that. But let's just say the encryption is not very strong in this one.

Try encrypting "11111111", "abcdefghijklmno", "aaaaaaaa" and you will soon see a pattern.

Ogmios

denzilsyb · Post by **denzilsyb** » Thu Sep 23, 2004 10:09 am

not bad. at least say where the encryption/decryption algorithm is. that way you are not making the horse drink the water.

ogmios · Post by **ogmios** » Thu Sep 23, 2004 10:17 am

I don't know where it is... I just wrote my own

. 1 character gets "encrypted" to 3 characters and by using some small table lookups you can encrypt/decrypt easily.

Ogmios

trokosz · Post by **trokosz** » Thu Sep 23, 2004 8:30 pm

Actually authenticating is not prevented, but "logging in" is. Since DataStage does not, you are not prevented from authenticating to the system.