Skip navigation.
Home
The QNX Community Portal

View topic - Authenticate system passwords in application

Authenticate system passwords in application

For the old QNX2 and QNX4 RTOS

Authenticate system passwords in application

Postby Pilotek » Fri Sep 21, 2012 11:25 am

Good morning/afternoon,

is there some way (C-function, library...) in QNX4+Photon how to authenticate system passwords (which are encrypted, we cannot read them from somewhere for comparison=verification) required to enter by qualified operator at some operations in our application (editing critical parameters, manipulating critical devices...)?

Thank you.
Pilotek
Senior Member
 
Posts: 124
Joined: Thu Jan 25, 2007 3:52 pm

Re: Authenticate system passwords in application

Postby maschoen » Sat Sep 22, 2012 12:21 pm

I believe that the function you are looking for is called crypt().
maschoen
QNX Master
 
Posts: 2644
Joined: Wed Jun 25, 2003 5:18 pm

Re: Authenticate system passwords in application

Postby Pilotek » Thu Sep 27, 2012 12:32 pm

Maybe, but there is no crypt() function for QNX4, only for QNX6.

Is there anybody out there who knows where to find that function for QNX4?
Pilotek
Senior Member
 
Posts: 124
Joined: Thu Jan 25, 2007 3:52 pm

Re: Authenticate system passwords in application

Postby maschoen » Thu Sep 27, 2012 2:21 pm

Pilotek wrote:Maybe, but there is no crypt() function for QNX4, only for QNX6.

Is there anybody out there who knows where to find that function for QNX4?


Not only does there seem to be a crypt() function for QNX4, it is notorius:

http://it.slashdot.org/story/00/04/16/1 ... pt-cracked

http://www.qnx.com/developers/qnx4/qnx4 ... ?code=9619
maschoen
QNX Master
 
Posts: 2644
Joined: Wed Jun 25, 2003 5:18 pm

Re: Authenticate system passwords in application

Postby Pilotek » Fri Sep 28, 2012 6:20 am

Where we can find "Watcom C 10.6 Security patch" (which contains the latest version of unix3s.lib)?
Are we looking for:
unix3s.lib 97280 17Jun2000?

Is it unix3s.lib which contains crypt() function?

Several people say that even after installing "Watcom C 10.6 Security patch" no unix3s.lib is installed...

In usr/include/(anything).h there is no reference for crypt() function.

Update:
We tried to install QNX Suite 2000 "Watcom Security Update" and two libraries don't appear in usr/lib:
- unix3s.lib,
- unixg3r.lib.
From the internet research I mean that not only us have this problem.
The same situation is with QNX CD Suite 2011 (both libraries missing).
Pilotek
Senior Member
 
Posts: 124
Joined: Thu Jan 25, 2007 3:52 pm

Re: Authenticate system passwords in application

Postby maschoen » Fri Sep 28, 2012 7:21 pm

I looked in the directory:

/usr/watcom/10.6/usr/lib and found the following:

I'm not sure what the *.qcrypt files have to do with anything.

# ls -l unix*
-rw-rw-r-- 1 root root 101376 Jun 15 2000 unix3r.lib
-rw-rw-r-- 1 root root 89600 Nov 23 1997 unix3r.lib.qcrypt
-rw-r--r-- 1 root root 97280 Jun 15 2000 unix3s.lib
-rw-r--r-- 1 root root 88064 Dec 16 1996 unix3s.lib.qcrypt
-rw-r--r-- 1 root root 100352 Apr 25 2000 unixc.lib
-rw-r--r-- 1 root root 128000 Dec 16 1996 unixc.lib.qcrypt
-rw-rw-r-- 1 root root 191488 Jun 15 2000 unixg3r.lib
-rw-r--r-- 1 root root 105472 Apr 25 2000 unixh.lib
-rw-r--r-- 1 root root 133632 Dec 16 1996 unixh.lib.qcrypt
-rw-r--r-- 1 root root 100352 Apr 25 2000 unixl.lib
-rw-r--r-- 1 root root 129024 Dec 16 1996 unixl.lib.qcrypt
-rw-r--r-- 1 root root 95744 Apr 25 2000 unixm.lib
-rw-r--r-- 1 root root 124416 Dec 16 1996 unixm.lib.qcrypt
-rw-r--r-- 1 root root 94208 Apr 25 2000 unixs.lib
-rw-r--r-- 1 root root 122880 Dec 16 1996 unixs.lib.qcrypt
#
maschoen
QNX Master
 
Posts: 2644
Joined: Wed Jun 25, 2003 5:18 pm

Re: Authenticate system passwords in application

Postby Pilotek » Fri Oct 05, 2012 6:55 am

Thank you, we were looking always in /usr/lib instead of /usr/watcom/10.6/usr/lib.
Do we need to copy/install some libraries from /usr/watcom/10.6/usr/lib to root/usr/lib before we use (functions of)them?

We will make another attempts...
Pilotek
Senior Member
 
Posts: 124
Joined: Thu Jan 25, 2007 3:52 pm

Re: Authenticate system passwords in application

Postby maschoen » Fri Oct 05, 2012 8:43 pm

Pilotek wrote:Thank you, we were looking always in /usr/lib instead of /usr/watcom/10.6/usr/lib.
Do we need to copy/install some libraries from /usr/watcom/10.6/usr/lib to root/usr/lib before we use (functions of)them?


I don't know. I would not think so. There is probably (or should be) a soft link to /usr/watcom/10.6/usr/lib from /usr/lib.
maschoen
QNX Master
 
Posts: 2644
Joined: Wed Jun 25, 2003 5:18 pm

Re: Authenticate system passwords in application

Postby Pilotek » Tue Oct 09, 2012 10:52 am

Thank you very much maschoen. Our developer already found, tried and understood (how to use it) the crypt() function for authentication of system USER/PASSWORD inside our application.
Pilotek
Senior Member
 
Posts: 124
Joined: Thu Jan 25, 2007 3:52 pm

Re: Authenticate system passwords in application

Postby AshiGupta » Mon Dec 19, 2016 6:45 am

Hi,

I am trying to use crypt() function in my application code to create a new user and add entries in passwd/opasswd/shadow/oshadow files. I am getting 13 character output from crypt() function and adding the same in shadow file but still unable to login with my new user.

Is there is anything i am missing. If i am using passwd utility it is working well.

Below is default look of shadow file with only root as user
root:T4QIvurux5uOI:1195089751:0:0

root--> Username
T4QIvurux5uOI --> 13 character encrypted password
1195089751:0:0 --> ?

What is the meaning of this 10 digit number and 0 ?
AshiGupta
Active Member
 
Posts: 19
Joined: Wed Aug 24, 2016 11:09 am

Re: Authenticate system passwords in application

Postby Tim » Wed Jan 04, 2017 11:56 pm

You might want to check out this hacker article on the QNX oshadow file.

https://moar.so/blog/qnx-password-hash-formats.html

Entries in the shadowed password file are first delimited by : and split into the following sections:

username -- user account name
@S,100@386d...truncated...da5d@129b6761 -- printable hash string (varies depending on the hash function used)
1448613322 -- Unix epoch timestamp of when the password was set
0 -- unknown
0 -- unknown

The guess is those last 2 values are related to locking out user accounts.

The problem appears to be you need to run the crypt call many times. The doc's say 1000 times using SHA-512 with a salt of 16 bytes:

http://www.qnx.com/developers/docs/660/ ... asswd.html

Tim
Tim
Senior Member
 
Posts: 1391
Joined: Wed Mar 10, 2004 12:28 am


Return to QNX2 and QNX4

Who is online

Users browsing this forum: No registered users and 3 guests