Writing

Feed Software, technology, sysadmin war stories, and more.

Saturday, June 11, 2011

Make the computer do that monkey work

Before I was a Linux sysadmin, I was a BSD/OS sysadmin. I had inherited that choice of OS from the original administrator and ran it for a couple of years. At some point, our needs outgrew BSD/OS and would have been solved if we had just been running a Linux system. Around that same time, we also had a hardware upgrade pending, so I decided to do both at the same time.

Trouble is, the old box had DES crypt() and the new one was the $1$ MD5 scheme. I really didn't want to reset the passwords on 1500 accounts, and it wasn't clear that backwards compatibility would have worked. I needed another solution, and wound up doing it with a pretty evil hack.

My plan was simple enough: write a small function to do an old-style DES crypt() call and look up the user in a copy of the BSD/OS master.passwd. If it matched, take the plaintext we were given, MD5 it on the spot and dump it to a file, then return 1. If it didn't match, return 0.

I then had to take this function, compile it to an object file, and hook it into the authentication path of everything which was running on the new machine. This meant qpopper, telnetd, radiusd, and sshd. Yep, that's right -- telnetd. This was over 10 years ago, and we still ran it.

The hook was trivial to do. Wherever that daemon typically did its crypt magic, I'd just have it take the plaintext and call my function. If it works (returns 1), it's them, we're done. Otherwise, fall through and do whatever you'd do normally. The implementation just needed minor tweaks to line up with however the host program happened to operate.

As time went by I got more and more accounts ported over by using usermod to insert the MD5 version of their password hash. After about three months, it was time to turn it off and just lock out any account which hadn't used the system in that time. They'd just have to catch up with us out-of-band to get it running again.

Afterward, I put the binaries back to their stock versions. My hack was no longer needed, and we had managed to move nearly all of the users to a better hashing scheme without revealing plaintext to any human, and nobody had to be a password reset monkey for 1500 users. I hate monkey work.