[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Shadow Passwords

Your message dated: Fri, 02 Feb 1996 09:35:03 +0100
>In article <[🔎] 199602011844.TAA07677@i17linuxb.ists.pwr.wroc.pl>,
>Marek Michalkiewicz  <marekm@i17linuxb.ists.pwr.wroc.pl> wrote:
>[discussion about shadow passwords deleted]
>>I think it would be nice to have a separate small shared library containing
>>only crypt() - this way it will be easier to change in the future without
>>need to rebuild the whole libc which is quite big already.  Unfortunately,
>>this requires that all programs using crypt() are linked against the new
>I don't know about PAM, it's been mentioned before and probably the ideal
>solution. However, the way SunOS does it is also nice:
>- The password file contains ##loginname in the password field.
>- The shadow file holds the real encrypted password.
>Now, usually crypt is called by a user program like this:
>  struct passwd *pwd;
>  char *pass, *crypted;
>  pwd = getpwnam("luser");
>  pass = getpass("Password: ");
>  crypted = crypt(pass, pwd->pw_passwd);
>  if (strcmp(pwd->pw_passwd, crypted) != 0) {
>	printf("Login incorrect\n");
>	exit(1);
>  }
>Crypt can be intelligent. If it sees that the "salt" passed to it is really
>in the form ##loginname, it has a loginname/password combination. It can
>then authenticate the user any way you want.
>It could just call getspnam() and do shadow authentication. On success,
>it would return ##loginname again, so that the strcmp() succeeds.
>This would only take 2 changes:
>- change the shadow utils to generate ##loginname in the plain password file
>- change crypt in the shared library
>The only problem I see is with NIS and NIS password files; they don't
>have ##username in the password field. I think this can be solved by

On SunOS with C2 enabled the /etc/passwd file and the passwd map do have 
##username in the password field. The encrypted passwords are stored in 
/etc/security/passwd.adjunct, and in the passwd.adjunct nis map. An 
authentication daemon is used to do remote authentication, and only root can 
do yp{cat,match} passwd.adjunct because authentication is done on a privileged 

I know that passwords are transmitted over the net, but this mechanism is more 
secure than plain nis, and is more useful than nis+shadow (which doesn't work 
on linux).

>checking if the encrypted password in the password field is valid. If

This could also satisfy all those people that don't want shadow passwords on 
their systems.

>not (check for 13 characters in a valid range, see sulogin.c of sysvinit),
>the library functions (getpw*) should replace it with ##username.
>So the other change in the shared library would be:
>- change the getpw* functions
>and all programs are automatically shadow compatible.
>PS. In SunOS, this modified crypt() calls a daemon to do the authentication.
>It would be nice if we could have this functionality too. Crypt should
>try to connect to some TCP or UDP port for authentication before trying
>it locally. That way, I could share the password file from our Solaris box
>(it also has shadow, but Linux doesn't support safe shadow over NIS yet)
>for the userid's and do the real authentication with RADIUS.

                             ( O-O )
|Andrea Dell'Amico	   	|"D'una citta` non godi le sette o   |
|e-mail: adellam@zia.ms.it	|settantasette meraviglie, ma la     |
|  serinf-coord@citinv.it	|risposta che da` ad una tua domanda"|
|http://www.citinv.it		|Italo Calvino, Le citta` invisibili |

Reply to: