-----BEGIN PGP SIGNED MESSAGE----- ________________________________________________________________________________ Silicon Graphics Inc. Security Advisory Title: Password-less accounts Title: CERT Advisory CA-95:15 - SGI lp Vulnerability Number: 19951002-01-I Date: November 27, 1995 ________________________________________________________________________________ Silicon Graphics provides this information freely to the SGI community for its consideration, interpretation and implementation. Silicon Graphics recommends that this information be acted upon as soon as possible. Silicon Graphics will not be liable for any consequential damages arising from the use of, or failure to use or use properly, any of the instructions or information in this Security Advisory. ________________________________________________________________________________ It has reached the attention of SGI and the CERT Coordination Center that the community is unaware of the existence and use of password-less accounts on newly installed systems. Because these accounts are initially password-less and are not being given passwords when the system is setup, these accounts are being left open and being used to gain access to the systems. Passwords are one of the many primary tools for providing for the security of a system. The use and guidelines for passwords need to be clearly defined as part of a site's security policy. As pointed out in the CERT advisory, *ALL* accounts on a system need to 1) have a password and 2) have a properly chosen password. Properly chosen password : is a password that can not be easily guessed or discovered. For example a 2 character password is much easier to discover by brute sequential guessing than a 6 character password. Furthermore passwords should not be obvious, a users name, a family members name, the name of the company, or favorite item, activity, saying, or any commonplace word found in a dictionary. In the IRIX Advanced Site and Server Administrative Guide", the "System Security" chapter, there is a section on selecting passwords. New Silicon Graphics systems are distributed with several accounts, such as the lp account, without passwords to provide easy "plug-and-play" installation and operation. These accounts and the fact that they do not initially have passwords is documented in the SGI documentation with each system, specifically, the "IRIX Advanced Site and Server Administrative Guide" in the chapter on "System Security." - ---------------- - --- Solution --- - ---------------- To reveal *ANY* local (NIS accounts are not recognized) account on the system which does not have a password, the following command as root, can be used: # /bin/passwd -sa | /usr/bin/awk '$2 == "NP" {print $0}' The output may appear something like this: lp NP 9 9 /usr/spool/lp /bin/sh tutor NP 994 997 /usr/tutor /bin/csh demos NP 993 997 /usr/demos /bin/csh guest NP 998 998 /usr/people/guest /bin/csh 4Dgifts NP 999 998 /usr/people/4Dgifts /bin/csh jack NP 1110 20 /usr/people/jack /bin/csh jill NP 1111 20 /usr/people/jill /bin/csh backdoor NP 1112 20 /usr/people/backdoor /bin/csh The "NP" notation indicates the account has no password. In the example here, not only does the lp account not have a password but other accounts also including some user accounts (jack, jill, backdoor). It is recommended that *ANY* account found without a password either be assigned a password or be locked or be removed if the account is no longer in use. By locking an account, a system administrator is placing the string "*LK*" in the password field of the account in the /etc/passwd file. With this "*LK*" string in the password field it is not possible for this account to be logged into. ************ *** NOTE *** ************ Locking accounts can disable certain services and/or "plug-and-play" operations. For example, if this system is to provide remote tape drive or printer services for other systems, certain accounts such as guest or lp will need to be open with no password, or a .rhosts file will need to be setup for these accounts. The use of .rhosts file is covered in the manual page for hosts.equiv(4) and the "IRIX Advanced Site and Server Administration Guide." To lock an account, the passwd command is used with the -l option. For more information on locking accounts and other password management options, refer to the manual page on passwd(1) or the "IRIX Advanced Site and Server Administration Guide" available on-line with InSight(1). To lock all accounts without a password, the following script can be used. Save the script into a file and then execute the file with the /bin/sh command as root. #####--->>> WARNING <<<---##### Be sure the root account already has a chosen and assigned password and is not an open account as the root account will be locked by this process if it does not. ------------------------cut here--8<------------------------ #!/bin/sh for account in `/bin/passwd -sa | /usr/bin/awk '$2 == "NP" {print $1}'` do /bin/echo Locked the $account account /bin/passwd -l $account done ------------------------cut here--8<------------------------ The above procedure will also work if shadow passwords are used. If NIS accounts are used on the system, efforts need to be taken to ensure those accounts also have passwords. See manual pages on yppasswd(1) or "IRIX Advanced Site and Server Administration Guide" or "NIS Administration Guide" available on-line with InSight(1). - ----------------------- - --- Acknowledgments --- - ----------------------- SGI commends CERT Coodination Center on their continued efforts of informing the community regarding security matters and appreciates their efforts on this particular issue. - ----------------------------------------- - --- SGI Security Information/Contacts --- - ----------------------------------------- Past SGI Advisories and security patches can be obtained via anonymous FTP from sgigate.sgi.com . These are provided freely to all interested parties. For assistance obtaining or working with security patches, please contact your SGI support provider. If there are questions about this document, email can be sent to cse-security-alert@csd.sgi.com . For reporting *NEW* SGI security issues, email can be sent to security-alert@sgi.com or by contacting your SGI support provider. -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBMLtEVbQ4cFApAP75AQHyUAQAiLmS96NpknF8OAiL5QxivAuMNWner5XS DN4o96FEYvTsR4gWotwLxF8vqxxyfiQGwpRaGu1b9Dvut3CsQbG7U8SackB8t3Cv Y8cwKYSwpI0YNw7mrdW7WHRrQRaK+ZPIhhCjD9+S8tIu9svNV6xVgBtjR6W1XMrB 5LoEK59UcM8= =BP0y -----END PGP SIGNATURE-----