Re: Shadow Passwords
Your message dated: Fri, 02 Feb 1996 09:35:03 +0100
>In article <[🔎] 199602011844.TAA07677@i17linuxb.ists.pwr.wroc.pl>,
>Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl> wrote:
>[discussion about shadow passwords deleted]
>>I think it would be nice to have a separate small shared library containing
>>only crypt() - this way it will be easier to change in the future without
>>need to rebuild the whole libc which is quite big already. Unfortunately,
>>this requires that all programs using crypt() are linked against the new
>>library.
>
>I don't know about PAM, it's been mentioned before and probably the ideal
>solution. However, the way SunOS does it is also nice:
>
>- The password file contains ##loginname in the password field.
>- The shadow file holds the real encrypted password.
>
>Now, usually crypt is called by a user program like this:
>
> struct passwd *pwd;
> char *pass, *crypted;
>
> pwd = getpwnam("luser");
> pass = getpass("Password: ");
>
> crypted = crypt(pass, pwd->pw_passwd);
>
> if (strcmp(pwd->pw_passwd, crypted) != 0) {
> printf("Login incorrect\n");
> exit(1);
> }
>
>Crypt can be intelligent. If it sees that the "salt" passed to it is really
>in the form ##loginname, it has a loginname/password combination. It can
>then authenticate the user any way you want.
>
>It could just call getspnam() and do shadow authentication. On success,
>it would return ##loginname again, so that the strcmp() succeeds.
>
>This would only take 2 changes:
>- change the shadow utils to generate ##loginname in the plain password file
>- change crypt in the shared library
>
>The only problem I see is with NIS and NIS password files; they don't
>have ##username in the password field. I think this can be solved by
On SunOS with C2 enabled the /etc/passwd file and the passwd map do have
##username in the password field. The encrypted passwords are stored in
/etc/security/passwd.adjunct, and in the passwd.adjunct nis map. An
authentication daemon is used to do remote authentication, and only root can
do yp{cat,match} passwd.adjunct because authentication is done on a privileged
port.
I know that passwords are transmitted over the net, but this mechanism is more
secure than plain nis, and is more useful than nis+shadow (which doesn't work
on linux).
>checking if the encrypted password in the password field is valid. If
This could also satisfy all those people that don't want shadow passwords on
their systems.
>not (check for 13 characters in a valid range, see sulogin.c of sysvinit),
>the library functions (getpw*) should replace it with ##username.
>
>So the other change in the shared library would be:
>- change the getpw* functions
>
>and all programs are automatically shadow compatible.
>
>PS. In SunOS, this modified crypt() calls a daemon to do the authentication.
>It would be nice if we could have this functionality too. Crypt should
>try to connect to some TCP or UDP port for authentication before trying
>it locally. That way, I could share the password file from our Solaris box
>(it also has shadow, but Linux doesn't support safe shadow over NIS yet)
>for the userid's and do the real authentication with RADIUS.
>
>Mike.
>
Regards,
Andrea
--
_\\|//_
( O-O )
--------------------------o00--(_)--00o-------------------------------
|Andrea Dell'Amico |"D'una citta` non godi le sette o |
|e-mail: adellam@zia.ms.it |settantasette meraviglie, ma la |
| serinf-coord@citinv.it |risposta che da` ad una tua domanda"|
|http://www.citinv.it |Italo Calvino, Le citta` invisibili |
----------------------------------------------------------------------
Reply to: