You want to check that all login passwords in your system password database are strong.
Use John the Ripper, a password-cracking utility from the Openwall Project (http://www.openwall.com). After the software is installed, run:
# cd /var/lib/john # umask 077 # unshadow /etc/passwd /etc/shadow > mypasswords # john mypasswords
Cracked passwords will be written into the file john.pot. Cracked username/password pairs can be shown after the fact (or during cracking) with the -show option:
# john -show mypasswords
You can instruct john to crack the passwords of only certain users or groups with the options -users:u1,u2,... or -groups:g1,g2,..., e.g.:
# john -users:smith,jones,akhmed mypasswords
Running john with no options will print usage information.
SuSE distributes John the Ripper, but Red Hat does not. If you need it, download the software in source form for Unix from http://www.openwall.com/john, together with its signature, and check the signature before proceeding. [Recipe 7.15]
Unpack the source:
$ tar xvzpf john-*.tar.gz
Prepare to compile:
$ cd `ls -d john-* | head -1`/src $ make
This will print out a list of targets for various systems; choose the appropriate one for your host, e.g.:
linux-x86-any-elf Linux, x86, ELF binaries
and run make to build your desired target, e.g.:
$ make linux-x86-any-elf
Install the software, as root:
# cd ../run # mkdir -p /usr/local/sbin # umask 077 # cp -d john un* /usr/local/sbin # mkdir -p /var/lib/john # cp *.* mailer /var/lib/john
Then use the recipe we've provided.
By default, Red Hat 8.0 uses MD5-hashed passwords stored in /etc/shadow, rather than the traditional DES-based crypt( ) hashes stored in /etc/passwd; this is effected by the md5 and shadow directives in /etc/pam.d/system-auth:
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
The unshadow command gathers the account and hash information together again for cracking. This information should not be publicly available for security reasons? that's why it is split up in the first place?so be careful with this re-integrated file. If your passwords change, you will have to re-run the unshadow command to build an up-to-date password file for cracking.
In general, cracking programs use dictionaries of common words when attempting to crack a password, trying not only the words themselves but also permutations, misspellings, alternate capitalizations, and so forth. The default dictionary (/var/lib/john/password.lst) is small, so obtain larger ones for effective cracking. Also, add words appropriate to your environment, such as the names of local projects, machines, companies, and people. Some available dictionaries are:
Concatenate your desired word lists into a single file, and point to it with the wordlist directive in /var/lib/john/john.ini.
john operates on a file of account records, so you can gather the password data from many machines and process them in one spot. You must ensure, however, that they all use the same hashing algorithms compiled into the version you built on your cracking host. For security, it might be wise to gather your account databases, then perform the cracking on a box off the network, in a secure location.
There are other crackers available, notably Crack by Alec Muffet. [Recipe 9.2] We feature John the Ripper here not because it's necessarily better, but because it's simpler to use on Red Hat 8.0, automatically detecting and supporting the default MD5 hashes.
See the doc directory of the John the Ripper distribution for full documentation and examples.
Learn about Alec Muffet's Crack utility at http://www.cryptcide.org/alecm/security/c50-faq.html.
The Red Hat Guide to Password Security is at http://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/security-guide/s1-wstation-pass.html.