How to create an encrypted password file and decrypt the password on AIX

tsteph
tsteph used Ask the Experts™
on
I am needing to create an encrypted password file and decrypt the password on AIX platform.  This is currently being done on our Sun Solaris environment using the coomands "encrypt" and "decrypt".  However, I noticed these commands do not exist or are not installed on our AIX.

Do these commands need to be installed or are there equivalent commands for AIX?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2013
Top Expert 2013

Commented:
Hi,

there are no native crypt/decrypt commands in AIX anymore.

You could install ccrypt, which is available as an RPM package here:

http://www.perzl.org/aix/index.php?n=Main.Ccrypt

Unfortunately it has some prerequisites:

http://www.perzl.org/aix/index.php?n=Main.Gettext
http://www.perzl.org/aix/index.php?n=Main.Expat
http://www.perzl.org/aix/index.php?n=Main.Glib2

rpm itself is part of the AIX base shipment and gets installed by default.

To just generate encryped passwords try the "makekey" (man makekey) command. It uses one-way encryption.


wmp



Author

Commented:
I would need to use 2 way encryption to be able to decrypt.  I will look into ccrypt.  However, I do not think my company will allow open source code if that is what it is.  
Thanks,
tsteph
Most Valuable Expert 2013
Top Expert 2013

Commented:
AIX ships with openssl. Could this be an alternative? (openssl enc ...) ?

Try "man openssl"



Exploring SQL Server 2016: Fundamentals

Learn the fundamentals of Microsoft SQL Server, a relational database management system that stores and retrieves data when requested by other software applications.

Author

Commented:
When I try "man openssl" I get teh same message when I "man dcrypt".  Not found or installed..
Most Valuable Expert 2013
Top Expert 2013

Commented:
It's on the base DVD. Insert this DVD and run "smitty install_all" as usual.

Or run installp -aX -d /dev/cd0 openssl.base openssl.license openssl.man.en_US

Author

Commented:
Hmmm, unfotunately I do not have authority to install on our servers.  I am not a sys admin but a developer.  The sys Admins I talked to had no idea about crypt or dcrypt or alternatives.  I will have to pass this along to them.  In the meantime I will look at other alternatives.  Thanks for the information!

Author

Commented:
It may be some time before any sys admins can look at this... I will have to look at some other alternatives in the meantime.  Thanks!
Most Valuable Expert 2013
Top Expert 2013

Commented:
Have your sys admins install openssl!

The more I think about it the more I believe that using openssl is the best choice here.

Although it's Open Source the package shipped with AIX is under control of IBM, so there should be no reason to worry about manipulated code (Trojan horse or the like).

wmp

Author

Commented:
Does openssl execute like a command like decrypt or encrypt?  There is a script we have here already on a Solaris machine that uses decrypt and we are wanting to use the same script. Would it be a matter of replacing the decrypt comand and parameters with openssl and its specific parameters?

Author

Commented:
Do you have examples of how it is used?

Author

Commented:
What about crypt?  I noticed it is in the man pages but it looks like it is a c method,not a command

Author

Commented:
I responded too soon...sorry....I also noticed encrypt which decrypts and encrypts..but appears to be a  function...not sure how to use...I am kinda a newbie in this.
Most Valuable Expert 2013
Top Expert 2013

Commented:
With password on command line, using e.g. aes-256-cbc cipher:

encrypt:

openssl enc -aes-256-cbc -salt -in file.txt -out file.enc -pass pass:mypassword

decrypt:

openssl enc -d -aes-256-cbc -in file.enc -out file.dec -pass pass:mypassword

With password in a file:

encrypt:

openssl enc -aes-256-cbc -salt -in file.txt -out file.enc -pass file:/path/to/password.txt

decrypt:

openssl enc -d -aes-256-cbc -salt -in file.enc -out file.dec -pass file:/path/to/password.txt

Find available ciphers with

openssl -h

or

openssl list-cipher-commands

or

man enc

wmp
Most Valuable Expert 2013
Top Expert 2013

Commented:
What you found are subroutines (functions) to be used in C programs.

Author

Commented:
okay, I found that openssl is on 2 of our AIX boxes that are versions 5.3...comes standard on these.  openssl may work.  I just need to test it.  We are required to have a password file that contains an encrypted password of a particular user.  The name of the file has to be username.pwd for example.  So I need to create this.  Then I need to use openssl to decrypt the password.  This password will be used by a C/C++ program to log into a particular application.

I can on the command line create the password file.  Then in a shell script I can execute openssl command on that password file based on the username.

In the above example:
openssl enc -aes-256-cbc -salt -in file.txt -out file.enc -pass pass:mypassword

What is the file.txt needed for? from the mypassword given won't it just encrypt it in the file.enc file?  I am confused at what or how  the -in file.txt and -out file.enc are used in the examples above?
Most Valuable Expert 2013
Top Expert 2013

Commented:
Your original requirement was to create an encrypted file.
I assumed you meant creating this file out of an unencrypted file.

So file.txt is the original, unencrypted file and file.enc is the resulting, encrypted file.
"mypasswd" is the passphrase used for encryption and has nothing to do with the original strings to be encrypted.

openssl can work on stdin and stdout if desired. just omit the -in and -out files

To encrypt a string "PASSWORD" and store the result in a variable ENCSTR:

ENCSTR=$(echo "PASSWORD" | openssl enc -aes-256-cbc -salt -pass pass:mypassword)

To decrypt this variable's contents:

echo "$ENCSTR" |  openssl enc -d  -aes-256-cbc -pass pass:xxx 2>/dev/null

Decrypting a variable may lead to an error message, depending on the characters resulting from encryption, but decryption will succeed nonetheless - that's why I redirected possible error messages to /dev/null.

Author

Commented:
Here is what I need to do.

Create a shell script that will take the username and pasword in as arguments and create the encrypted password file by executing the command (or something similar):
                  echo "password" | openssl enc -aes-256-cbc -a -salt -out username.pwd
This is just to create user specific encrypted password files that will be used by a C program discussd below.

I will then create a second shell script (that will be executed from a C program using fpipe and fgets) that will take the username as input and return the decrypted password to the C program using the following command line (or something similar):
echo | openssl enc -d -aes-256-cbc -a -in username.pwd ---(this is the file that was created by the above script)

Just not sure how to get around the prompts for a password when running those commands from command line. Maybe I am missing something.

Most Valuable Expert 2013
Top Expert 2013
Commented:
Yes, youre missing the -pass option.

echo "password" | openssl enc -aes-256-cbc -a -salt -out username.pwd -pass pass:mypasswd

openssl enc -d -aes-256-cbc -a -in username.pwd -pass pass:mypasswd

"pass:" in front of a string tells openssl that it's the password itself which follows, whereas "file:" in front of a filename would tell openssl to read that file to obtain the password.

The first command creates a file containing a single encrypted string, I think that's desired and OK.

The second command writes the decrypted string to stdout. Is this the way you're planning to pass it to C? If so, the command is OK too (without the useles "echo |" in front, of course).

wmp

Author

Commented:
Yes that is correct.  I wrote the scripts and tested successfully.  I believe this is the solution.  Thank you much for your assistance!!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial