Anlpasswd

Evaluation Completed :  July 31st, 1997

Name

Anlpasswd

Release Information

Support

Functionality

A proactive password checker that checks the password keyed in by the user against a sorted list of all the words that Crack will generate and given a set of input dictionaries. The user can key in a password if and only if that password cannot be cracked by a full run of crack.

Requirements

Supported for the following Unix flavours

SunOS & Solaris

Documentation

The Installation Guide, README's and a paper.

Installing Anlpasswd

The Installation procedure was not very straight forward.( as with most public domain tools). However you can follow this installation guide per se instead of reinventing the wheel.

1. Unpack the tar file anlpasswd-2.3.tar.Z into a directory
2. Make the following changes to the anlpasswd file in the perl directory
1. Go to the anlpasswd/perl directory
2. Change $accounts to your email id
$accounts = "balasujs@cs.purdue.edu"
3. Change @legal_shells to all the shells in /etc/shells
@legal_shells = ('/usr/local/bin/tcsh', '/usr/bin/ksh', '/bin/csh', '/bin/sh')
4. Specify the place perl has to look for the include files of anlpasswd
unshift(@INC, "/home/balasujs/tools/anlpasswd/perl")
5. Specify the location of the dictionaries
$dictdir = "/home/balasujs/tools/anlpasswd/mongodict";# location of dictionaries
$bigdict = "$dictdir/bigdict"; # large list of words
6. Specify the location of the ypstuff executable
$ypstuffdir = "/home/balasujs/tools/anlpasswd/bin"; # location of ypstuff executable
7. Specify the location of the ypstuff executable
$ypstuffdir = "/home/balasujs/tools/anlpasswd/bin"; # location of ypstuff executable
3. Put the anlpasswd file in a directory crossmounted across all unix systems
4. Chmod the anlpasswd file
chmod 600 anlpasswd
5. Make the following links in the anlpasswd directory
ln -s anlpasswd passwd
ln -s anlpasswd yppasswd
6. Go to /bin directory and mv the actual passwd file into another file
cd /bin
mv passwd passwd.orig
chmod 644 passwd.orig
7. Make the following changes to the anlpasswd/c-routines/suidwrap.c file to the constants PASSWD_ACTUAL and YPPASSWD_ACTUAL
#define PASSWD_ACTUAL "/home/balasujs/tools/anlpasswd/perl/passwd"
#define YPPASSWD_ACTUAL "/home/balasujs/tools/anlpasswd/perl/yppasswd" cd /bin
8. Type make in the anlpasswd/c-routines directory and copy the suidwrap program in place of the actual /bin/passwd program. Do the following as root
cp suidwrap /bin/passwd
cd /bin
chmod 4111 passwd
ln -s passwd yppasswd
9. Copy anlpasswd/c-routines/ypstuff to the location chosen in 2 .7
10. Now to generate the comprehensive dictionary. Go to anlpasswd/mongodict and follow the instructions in the README.

Problems Faced

1. The makefile in the anlpasswd/c-routines directory requires the following change
add -lnsl to the link line after -lrpcsvc
2. Comment out the perl directive require "look.pl" in the file anlpasswd/perl/anlpasswd
#require "look.pl";
3. Make the following changes to the file anlpasswd/c-routines/suidwrap.c
Before : execve("/usr/local/bin/perl", eargv, envp);
After : execve("/usr/local/perl/bin/perl", eargv, envp);
4. Make the following changes to the Makefile in the dictionary directory
Before : CRACKSRC=/mcs/source/crack/v4.1/Sources
After : CRACKSRC=/scratch/usr/local/crack-4.1/Sources
Before : DICTDIR=/mcs/source/DICTIONARIES/RAW
After : DICTDIR=/scratch/usr/local/crack-4.1/Dicts/
Before : CC=cc
After : CC=gcc(could be avoided; however I use gcc)

Starting anlpasswd

1. Invoke the new /bin/passwd program and the anlpasswd program will take effect. Alternatively invoke the passwd executable in the directory you have placed it.

Problems Faced

1. Currently a lot of redundant display information is present.All this can be removed. You can merely comment the relevant printf statements.
2. The generation of bigdict takes a lot of time

Evaluation Details

The Good News :

1. Only tool of its kind
2. May totally eliminate the need for crack runs if properly installed
3. Uses a fast binary seraching technique and does not seem to take too long for locating hits and misses
4. Source code freely available and can be modified to our needs
5. Crack sources and the big dictionary already available on account of the crack runs

The Bad News :

1. A public domain tool. Support for the tool is always questionable (Though I found that the email address provided works and they do answer your questions)
2. The tool only checks the new passwords. No corrective action is taken for the old passwords that are still there. May have to think of aging the existing passwords.
3. Need to replace the /bin/passwd program of the Unix programming environment. Ramifications have to be discussed.
4. The program did accept some very simple words. May be avoided by using a more comprehensive dictionary than what we have.
5. Has a requirement that the password should be atleast 6 characters long. Must be increased to 8.
6. Installation is not very easy and straightforward
7. The tool takes a long time to generate bigdict which is a comprehensive collection of all dictionary words
8. Uses an older version of Perl where setuid programs where not allowed. As a result, a setuid C wrapper is used. Old design. Newer versions of perl allow setuid programs so we may wait for a newer version.

Conclusion

This tool seems to be a good tool and may eliminate the overhead of crack runs which take place every quarter.

Recommendation

The tool is recommended. I suggest the following course of action. Let us deploy the tool for the present quarter, age the existing password set and have a crack run at the end of the quarter. If the crack results seem extremely impressive in terms of password security, we can continue with its deployment and eventually phase out the crack runs.

This review was written by Jai Sundar Balasubramaniyan <balasujs@cs.purdue.edu> during the summer of 1997. The opinions expressed are for purposes of critical review, and do not represent any official recommendation or endorsement by COAST or Purdue University.