Writing

Feed Software, technology, sysadmin war stories, and more.

Tuesday, July 17, 2012

Writing a password down on purpose

I've written a bit about taking over the Unix box at my school when the teacher who started it moved on to other things. What I haven't written about nearly as much is the auxiliary machine which made that whole thing possible, and the upgrades we did to both of them.

The original configuration was a 486 of some flavor running BSD/386, and it dialed into a 386 (!) also running BSD/386. The 486 sat in an office at my school, and the 386 was sitting in a rack at a local university. They let us terminate a couple of analog lines in their space and let us park a machine on their Ethernet. They also took care of routing our IP space down to that machine. We handled the rest.

Well, after a couple years of growth, that 486 was starting to strain. We needed something with some more horsepower to keep things nice and snappy for our users. When you have 20 or 30 people all trying to run elm, pine, lynx, gopher or whatever at the same time, you need a decent amount of resources.

A friend of mine who was closely involved with the project helped convince one of the administrator types at our school to invest the money required to buy a new machine. We dealt with a vendor somewhere out here in the valley and a few weeks later had our shiny new machine. We stayed late one night doing a migration the hard way: physically moving disks, getting the passwd and shadow files in order, and so on.

The next morning, our users came back to a system which was now running BSD/OS 2.0 and had a bunch of crazy new things. It also had a significant number of bugs, not the least of which was that NCSA telnet started echoing your password (!!!) at login because of a bad bug interaction between it and the new telnetd.

Anyway, over the next couple of days, we ran around putting out fires, stomping bugs, and another of my friends hacked up a telnetd that wouldn't trigger the NCSA bug, and life was pretty good. Now we had this old 486 just sitting around. What to do, what to do.

Well, obviously, the next step was to use it to upgrade our machine at the university. So, we cleaned up the 486 and reinstalled it as 2.0 and got it ready to host a PPP connection. Then, one day, we made an appointment with the computer people up at the university and two or three of us went up there to do the swap.

It seemed simple enough. We pulled the old machine out and started moving parts around. That's when it occurred to me: oh, yeah, this machine has a second modem and a second line because it routes for a second location. Oops.

We had forgotten about a certain elementary school. Somehow, at some point before I got involved with running this stuff, they had wanted to get online, and used our gateway machine to do it. The principal who set that up later went on to run the district-wide technology for that side of town, for what it's worth. Anyway, they had been there all along and we never even considered them. The gateway box just kind of sat there and we rarely logged into it, so nobody really remembered it.

So now we had a problem. We needed to get their SLIP user account moved over to the new machine... but nobody knew its password, and we had no way to get that guy on the phone. We also couldn't really run both machines at once to copy stuff over, since there were only enough parts to let one run at a time. We were miles away from our usual office at school or any of our homes, so running back and forth to get parts wasn't desirable, either. The university ran "real" Unix boxes, not these silly PCs, so they probably wouldn't have had anything for us to monkey with, especially with zero notice.

Finally, I came up with the plan: we would /write the shadow password down/. There was a convenient marker board hanging on the wall, and I called out the characters while one of my friends wrote it down. Then we swapped the boxes around, fired up vipw, and keyed it back in on the new machine.

A few minutes later, it redialed, and everything worked. Both schools were up and running on our "new" 486, and the old machine was given back to the university. The elementary school only saw it as a temporary blip in service and probably had no idea anything else had changed out from under them, since we restored their IP routing just as it had been before.

That's probably one of the more horrible things I've done in the course of systems administration. Writing the crypted password for a computer to computer link on a marker board in order to copy it to another system? Yeah, that's so wrong on so many levels.