Re: Shadow Passwords

To: bruce@Pixar.com (Bruce Perens)
Cc: bruce@Pixar.com, marekm@i17linuxb.ists.pwr.wroc.pl, david@ods.com, debian-user@Pixar.com, Dirk.Eddelbuettel@qed.econ.queensu.ca, whizzard@panther.ucis.dal.ca
Subject: Re: Shadow Passwords
From: whizzard@panther.ucis.dal.ca (Donald Lambert)
Date: Thu, 1 Feb 1996 15:31:00 -0400 (AST)
Message-id: <[🔎] m0ti4ij-0004FyC@panther.ucis.dal.ca>
In-reply-to: <[🔎] m0ti4Qr-00063SC@mongo.pixar.com> from "Bruce Perens" at Feb 1, 96 11:12:00 am

> 
> I'm not sure if having a separate library for crypt makes your system more
> or less vulnerable to attack. It does make it easier to deploy password
> shadowing, though. David should be in on this discussion as he's currently
> maintaining libc.
> 
> 	Bruce
With all the information in the same place, the modifications and upgrades,
could be done far easier.  As for the security, well if you can hack into one
place you probably can get to another.  I do know there are linux machines using
shaddowed passwords, what are they using ?? Is it the debian group that are 
writing the shadow suite, which would mean it would not be useable by say 
slackware ?( am I correct in my assumptions?)

> This change can be done even now - new_crypt() is called only if the magic
> string matches.  This shouldn't break anything, existing old-style passwords
> continue to work, but we can now copy encrypted passwords from the second
> most popular free OS.
> 
Personally, I like this idea, even tho the new_crypt() maybe a tad bit 
non-standard, it as well would make things for secure.  By Simply obtaining
a copy of the passwd/ shadow files, without the proper key, things would
not be as easy to crack.

> This change can be done even now - new_crypt() is called only if the magic
> string matches.  This shouldn't break anything, existing old-style passwords
> To generate new-style encrypted passwords, it is necessary to modify passwd
> to generate salt strings starting with the magic (they can also be longer -
> the FreeBSD crypt() supports up to 8 characters of salt).  This should be
> an option (not the out-of-the-box default) - other systems (except FreeBSD)
> will not understand our new encrypted passwords.
> 
> The passwd program in the new (not yet released) version of the shadow suite
> supports that (as an option in /etc/login.defs).
> 
		-- Donnie
-- 
                                      \ | /
                                 /\  - {O} -
                                /+*\  / | \
                               / * +\   |
                              /_\\//_\  |
  __^__                       (' O-O ') |                      __^__
 ( ___ )---------------------ooO-(_)-Ooo----------------------( ___ )
  | / |  Donald "WHIZZARD" Lambert      | "If You're Not True  | \ |
  | / |  whizzard@NS.CA.Undernet.ORG    |    To Yourself,      | \ |
  | / |  whizzard@alias.undernet.org    | Than You Aren't True | \ |
  | / |  lambert@snoopy.ucis.dal.ca     |    To Anyone;        | \ |
  | / |  710 Fern Dr. Lwr. Sackville,   | If You're Living For | \ |       
  |___|  Nova Scotia, Canada, B4E1L9    |    SomeOne Else,     |___|
  |___|  HOME:  (902) 864-0437          | Than You're Not      |___|
  |___|  MSGS:  (902) 865-1340          |    Living" -- V.I.   |___|
 (_____)------------------------------------------------------(_____)

Reply to:

Follow-Ups:
- Re: Shadow Passwords
  - From: Dirk.Eddelbuettel@qed.econ.queensu.ca

References:
- Re: Shadow Passwords
  - From: bruce@Pixar.com (Bruce Perens)

Prev by Date: Re: Shadow Passwords
Next by Date: Re: Shadow Passwords
Previous by thread: Re: Shadow Passwords
Next by thread: Re: Shadow Passwords
Index(es):
- Date
- Thread