Page 1 of 2
Password Validation
Posted: Wed Sep 22, 2004 10:23 am
by denzilsyb
hallo all
to my amazement today i typed in the username and password to log onto the datastage server via the client and logged in. OK, that was expected; although I knew i had typed the password incorrectly
.
i.e.
username: dsadm
password: passwor (it is supposed to be
password)
it turns out that i can type anything as the last letter _/xK2 etc etc. My question is then - how is this being validated on UNIX? How on earth am i getting past the password validation?
Posted: Wed Sep 22, 2004 12:43 pm
by kduke
What version of UNIX? Just curious. I want to try it here.
Posted: Wed Sep 22, 2004 12:46 pm
by kduke
By the way the encryption algorithms are supposed to be one way meaning they excrypt what you type in and compare it to what is stored in /etc/passwd or your shadow file. The algorithms are supposed to be different outside of the USA. So your problem should not be valid inside of the USA.
Posted: Wed Sep 22, 2004 4:12 pm
by ray.wurlod
Failed here (Australia) with "user name/password incorrect (80011)". Operating system is AIX 5L 5.2, DataStage 7.1. Only the fully correct password would be accepted. Then again, my correct password is only seven characters. Hmm...
Posted: Wed Sep 22, 2004 11:42 pm
by denzilsyb
kduke wrote:What version of UNIX
yes - something i should have added in my first post! Sun Solaris 9, Sparc Generic_117171-05, netra-T12.
I tried it again this morning just to make sure i was not high on coffee when i posted the concern. Its still happening! I even tried with a SSH session and surprise surprise i can put whatever i want in the as last letter.
kduke wrote:The algorithms are supposed to be different outside of the USA. So your problem should not be valid inside of the USA.
this is an interesting piece of information. except for security, what would be the reason for this?
ray.wurlod wrote:Then again, my correct password is only seven characters
this one is 9 characters long, with the last one being uppercase 3
I am going to have to let the administrators know, hopefully they will put Sun on full alert - or something.
Posted: Thu Sep 23, 2004 2:58 am
by denzilsyb
denzilsyb wrote:ray.wurlod wrote:Then again, my correct password is only seven characters
this one is 9 characters long, with the last one being uppercase 3
fancy that - solaris is only interested in the first 8 characters.
Posted: Thu Sep 23, 2004 6:44 am
by lebos
AIX only looks at 8. And I'm in the US.
I'm no expert, but I thought that was a Unix standard.
Larry
Posted: Thu Sep 23, 2004 9:49 am
by ogmios
UNIX passwords are pretty good protection, DataStage is worse: encrypted passwords as arguments to jobs can be reversed at will
So if you give a log file to anyone containing the encrypted password in it, that person can reverse engineer the password.
Ogmios
Posted: Thu Sep 23, 2004 9:53 am
by denzilsyb
ogmios wrote:
So if you give a log file to anyone containing the encrypted password in it, that person can reverse engineer the password.
what? would you mind expanding on this? Or are you just saying that the log file has the password as blatant as daylight - or is there a trick to handling decrypting the encryption?
Posted: Thu Sep 23, 2004 9:58 am
by ogmios
what? would you mind expanding on this? Or are you just saying that the log file has the password as blatant as daylight - or is there a trick to handling decrypting the encryption?
UNIX uses single way encryption, only the encrypted version is stored and there's no decryption... you login again, the new password is encrypted and the system checks the 2 encrypted versions, if they match you get in.
DataStage can use encryption for parameters but if you use that password to access e.g. a database DataStage also has to be able to decrypt the password and send it to the database server. So there is a decryption routine somewhere in DataStage.
It takes you about half an hour to reverse engineer how the passwords are encrypted and maybe another half hour to write a decryption routine.
Let's do a game.... give me an encrypted DataStage string and I will decrypt it.
Ogmios
Posted: Thu Sep 23, 2004 10:03 am
by denzilsyb
ogmios wrote:
Let's do a game.... give me an encrypted DataStage string and I will decrypt it.
only if you post the routine on decrypting :D
here you go:
Posted: Thu Sep 23, 2004 10:05 am
by ogmios
=
I'm not going to post the code, I don't know how "happy" Ascential would be about that. But let's just say the encryption is not very strong in this one.
Try encrypting "11111111", "abcdefghijklmno", "aaaaaaaa" and you will soon see a pattern.
Ogmios
Posted: Thu Sep 23, 2004 10:09 am
by denzilsyb
not bad. at least say where the encryption/decryption algorithm is. that way you are not making the horse drink the water.
Posted: Thu Sep 23, 2004 10:17 am
by ogmios
I don't know where it is... I just wrote my own
. 1 character gets "encrypted" to 3 characters and by using some small table lookups you can encrypt/decrypt easily.
Ogmios
Posted: Thu Sep 23, 2004 8:30 pm
by trokosz
Actually authenticating is not prevented, but "logging in" is. Since DataStage does not, you are not prevented from authenticating to the system.