AF:
NF:0
PS:10
SRH:1
SFN:
DSR:
MID:<20080228133125.5ed6200e@ripper.onstor.net>
CFG:
PT:0
S:andy.sharp@onstor.com
RQ:
SSV:onstor-exch02.onstor.net
NSV:
SSH:
R:<eric.barrett@onstor.com>,<narain.ramadass@onstor.com>,<tim.gardner@onstor.com>,<dl-Cougar@onstor.com>,<sripal.surendiran@onstor.com>,<sudharsan@onstor.com>
MAID:1
X-Sylpheed-Privacy-System:
X-Sylpheed-Sign:0
SCF:#mh/Mailbox/sent
RMID:#imap/andys@onstor.net@onstor-exch02.onstor.net/INBOX	0	BB375AF679D4A34E9CA8DFA650E2B04E089F15B9@onstor-exch02.onstor.net
X-Sylpheed-End-Special-Headers: 1
Date: Thu, 28 Feb 2008 13:31:40 -0800
From: Andrew Sharp <andy.sharp@onstor.com>
To: "Eric Barrett" <eric.barrett@onstor.com>
Cc: "Narain Ramadass" <narain.ramadass@onstor.com>, "Tim Gardner"
 <tim.gardner@onstor.com>, "dl-Cougar" <dl-Cougar@onstor.com>, "Sripal
 Surendiran (HCL)" <sripal.surendiran@onstor.com>, "Sudharsan Srinivasan"
 <sudharsan@onstor.com>
Subject: Re: Cougar migration issue
Message-ID: <20080228133140.2f08277e@ripper.onstor.net>
In-Reply-To: <BB375AF679D4A34E9CA8DFA650E2B04E089F15B9@onstor-exch02.onstor.net>
References: <BB375AF679D4A34E9CA8DFA650E2B04E04344BF1@onstor-exch02.onstor.net>
	<BB375AF679D4A34E9CA8DFA650E2B04E12BFA8@onstor-exch02.onstor.net>
	<BB375AF679D4A34E9CA8DFA650E2B04E089F1523@onstor-exch02.onstor.net>
	<BB375AF679D4A34E9CA8DFA650E2B04E089F1569@onstor-exch02.onstor.net>
	<BB375AF679D4A34E9CA8DFA650E2B04E089F15B9@onstor-exch02.onstor.net>
Organization: Onstor
X-Mailer: Sylpheed-Claws 2.6.0 (GTK+ 2.8.20; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Thu, 28 Feb 2008 10:05:35 -0800 "Eric Barrett"
<eric.barrett@onstor.com> wrote:

> Well, crypt() is one-way -- so we don't know the password.  (crypt()
> is a misnomer; it's actually generating a hash.)  Password

I think hash is the misnomer, but anyway....

The security hole only exists for the moment that we are doing the
migration and we ask the user to enter new passwords because we can't
verify the old ones.  Ideally what we want to do is ask the user to
enter the old passwords, verify they are correct, and then set the
new passwd/shadow entries appropriately.  But reasons of practicality
all we can do is prompt the user for new ones and "trust" that the user
doing the migration is not a malicious hacker on the loose bent on
creating an FMD (Filer of Mass Distruction).

I don't see any reason to not prompt the user for new passwords at
migration time.  I think someone mentioned just leaving the system
with default passwords and hope the customer remembers to change them or
read the migration guide and change them.  No reason I can think of to
take that route.

> authentication works by hashing the password the user typed in and
> seeing if it matches the hash that's on record.  In a comptent
> password scheme, you can't go from the hash back to the plaintext.
> 
> Even on BSD, we can't convert the Blowfish hash over to MD5, because
> that would require knowing the original plaintext.  (Unless there's
> some cryptological wiz-fu I'm missing here.)  You can really only
> implement Blowfish as a PAM module (I'm assuming), or go with what
> Tim suggested and have the users re-type all passwords.  I'd favor
> the former but of course it would require time which we may not have
> -- not my call.

There's only two passwords at play here, root and admin.  Shouldn't be
a big deal.

BTW, I crossed paths with someone who knows how to search for such
things, and he showed me a web site that listed our default root
password.  Is there any part of our FTI or migration process that
forces the customer to set a new root password?  It's very important
that we do that.

> 
> -----Original Message-----
> From: Narain Ramadass 
> Sent: Thursday, February 28, 2008 9:38 AM
> To: Eric Barrett; Tim Gardner; dl-Cougar
> Cc: Sripal Surendiran (HCL); Sudharsan Srinivasan
> Subject: RE: Cougar migration issue
> 
> Eric,
> 
> If we know the password we have to crypt - we can continue to use MD5
> and put in the appropriate hash in the passwd file for the
> corresponding accounts like we do today for BSD - just that it will
> be a different algorithm. Why do you say we need to know how to crypt
> them? I am sorry
> - cant follow! 
> 
> I was hoping that we'd get our customers to change the default
> passwords immediately after the migration. As for hackers - there is
> still a password even if its not really hard to figure out :-)
> 
> As for blowfish - Sripal investigated that very briefly - apparently
> there is a blowfish PAM (password authentication module) available for
> Linux - but we did not get enough time to complete the investigation
> as it was critical at the time that we be ready for the mightydog
> upgrade. 
> 
> Given time, I'm sure we can figure something out (regarding using
> blowfish on Linux) - but there are a few unknowns here and it is
> possible we may conclude at the end of the investigation that this
> simply cannot be done :-)
> 
> Narain.
> 
> -----Original Message-----
> From: Eric Barrett 
> Sent: Thursday, February 28, 2008 9:05 AM
> To: Narain Ramadass; Tim Gardner; dl-Cougar
> Cc: Sripal Surendiran (HCL); Sudharsan Srinivasan
> Subject: RE: Cougar migration issue
> 
> We can't expire them because it still requires knowing how to crypt()
> the password, which apparently the Linux libraries can't do with the
> BSD format.  Otherwise you're opening up the accounts for J. Random
> Hacker to log in and change them himself.  (Unlikely, yes, but still a
> consideration, especially since we have customers who run their boxes
> on the public Internet.)
> 
> 
> -----Original Message-----
> From: Narain Ramadass
> Sent: Thursday, February 28, 2008 7:37 AM
> To: Tim Gardner; dl-Cougar
> Cc: Sripal Surendiran (HCL); Sudharsan Srinivasan
> Subject: RE: Cougar migration issue
> 
> Tim,
> 
> Another alternative we had discussed last time was to reset the
> passwords for the root and admin accounts to their ONStor defaults and
> add an expiry date for the password such that the next login by the
> respective users would force them to change the password.
> 
> I do not believe that we store anything except admin and root in the
> passwd file - but then ONStor created ID's show up to BSD as "admin".
> Therefore if I logged in as "ndmp", "who" run from BSD would show an
> instance of "admin" having logged in. This may need a bit of testing
> and validation IMHO.
> 
> My 2c.
> 
> Narain.
> 
> 
> -----Original Message-----
> From: Tim Gardner
> Sent: Wed 2/27/2008 11:53 PM
> To: dl-Cougar
> Cc: Sripal Surendiran (HCL); Sudharsan Srinivasan
> Subject: Cougar migration issue
>  
> Folks,
>  
> There is a migration issue regarding the password file.
> The format (blowfish) used on BSD is not supported on our Linux
> distribution.
> How important is this?
> Do we store any passwords in this file other than the passwords for
> the admin and root users?
> If not, would it be sufficient to just prompt the user for these
> passwords during migration?
>  
> Tim
>  
> 
