Perl scripts for password maintainence

Tarun Upadhyay tarun at poboxes.com
Tue Jun 15 09:10:44 GMT 1999 

Well, attached are the 5 files. Two are notes from our sysadmins on scripts
and other three are scripts.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pass.pl
Type: application/octet-stream
Size: 13446 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-ntdom/attachments/19990615/539f1541/pass.obj
-------------- next part --------------
Samba Admin Stuff
-----------------

This is sorta disorganised - You folks will have to plug in the loopholes.

Apart from the standard installation we have :

1. smbserv.pl running on desh - the server daemon to synch/enable smb
passwords., This requires the PlRPC and Net::Daemon perl packages to be
installed on the server - smbclnt.pl also requires these two packages to
be installed on the cluster. The modus operandi is :

a. Server is running on port () on desh.

b. Client runs and makes a RPC call to the server, server forks a new
process to handle request. The choice to fork was made due to the fact
that what if some malicious client just started, and refused to shut down
the connection - the server would not be free to handle another request.

c. Client gets the current password, and sends it to the server, along
with the userid.

d. Server runs identd (RFC 1142) authentication on the client ( requires
Net::identd perl package installed.) In case the client userid does not
match the one sent by the client, server reports an error. Hence csu96173
cannot change/enable csu96126's password by spoofing the packet.

e. Server verifies the userid and password from its passwd database.

f. If succeeded, server ( running as root) runs smbpasswd to set the
samba password.

NOTE : 
i. Logs of smbserv.pl go to /var/log/smbpasswd.
ii. Logs of samba activities go to /var/log/smb/<machinename>


2. pass.pl - Not much about this - just runs expect scripts to yppasswd
and smbpasswd. Hence requires IO:Tty, IO:Stty, and Expect modules to be
loaded. The rules are under the sub goodenough.

Things to do :
--------------
1. Install the require modules on the ervers - currently they are loaded
form my home.
2. passwd shud be a symlink to pass.pl
3. Load the smbpasswd and /etc/profiles/ on sri/poorvi/megh/bahar - reqd
for smbpasswd to run.

Security Blues :
---------------
1. I think we should be running with the perl -T (taint ) options. 
2. passwords sent by smbclnt.pl are unencrypted - I dont expect ppl to
sniff over our internal lan. But we could load an MD5 or some sort of
module and then encrypt the passwords.
3. I have trapped the more common signals in pass.pl - hence the password
is erased from the varibale space ensuring a clean exit.
4. Since perl has dynamic stacks (:-)) - these programs cannot be stack
smashed. Besides, except smbserv.pl on desh, none of the other scripts run
as root/suid root.

Wish List :
-----------

The scripts were a part elegant/part dirty coding from ym part to get
things up. There are several areas that need finishing touches, so before
it cmoes in as fan mail , heres the wish list ( hope some of u can help me
work on it.) :

1. pass.pl : Use pipes directly instead of expect scripts. Will help get
rid of the three modules reqd for expect.

2. Anyone keen to take up rpm packaging/coding - Would make task of
installing the perl modules and the scripts easier.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smbserv.pl
Type: application/octet-stream
Size: 2696 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-ntdom/attachments/19990615/539f1541/smbserv.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smbclnt.pl
Type: application/octet-stream
Size: 1047 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-ntdom/attachments/19990615/539f1541/smbclnt.obj
-------------- next part --------------
Samba Info on CSEUNIX NT domain
-------------------------------

1. Enabling your samba login : Currently all user (unless already
enabled) logins are disabled. To enable your login run
/usr/local/bin/smbclnt.pl (or just smbclnt.pl, if it is your path.). It
synchronises / enables the samba password with the NIS password.

2. Changing your pasword : Use /usr/local/bin/pass.pl. Acts as a wrapper
over yppasswd and smbpasswd to change both NIS and samba passwords. It
verifies the old passwd against the current NIS (unix) passwd - hence
works only if the NIS and smb passwords are identical. Also has rules to
disallow weak passwords. (Do I hear 'compliments' of frustration in
choosing a new password ?)


NOTE : 

1. DO NOT change your password using the  windows  change password
facility - telnet to a linux machine and use the perl script to change
your password.

2. The scripts are bound to have some bugs. Mail me (mau94319 at cse.iitd.ernet.in) with the
error message/problem.

More information about the samba-ntdom mailing list