9.1. Testing Login Passwords (John the Ripper)
Problem
You want to check that all login passwords in your system password database are strong.
Solution
Use John the Ripper, a password-cracking utility from the Openwall Project (http://www.openwall.com). After the software is installed, run:
# cd /var/lib/john # umask 077 # unshadow /etc/passwd /etc/shadow > mypasswords # john mypasswords
Cracked passwords will be written into the file
john.pot. Cracked username/password pairs can be
shown after the fact (or during cracking) with the
-show
option:
# john -show mypasswords
You can instruct john to crack the passwords of only certain users or groups with the options -users:u1,u2,... or -groups:g1,g2,..., e.g.:
# john -users:smith,jones,akhmed mypasswords
Running john with no options will print usage information.
Discussion
SuSE distributes John the Ripper, but Red Hat does not. If you need it, download the software in source form for Unix from http://www.openwall.com/john, together with its signature, and check the signature before proceeding. [Recipe 7.15]
Unpack the source:
$ tar xvzpf john-*.tar.gz
Prepare to compile:
$ cd `ls -d john-* | head -1`/src $ make
This will print out a list of targets for various systems; choose the appropriate one for your host, e.g.:
linux-x86-any-elf Linux, x86, ELF binaries
and run make to build your desired target, e.g.:
$ make linux-x86-any-elf
Install the software, as root:
# cd ../run # mkdir -p /usr/local/sbin # umask 077 # cp -d john un* /usr/local/sbin # mkdir ...
Get Linux Security Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.