Re: securing debian

To: Ben Pfaff <pfaffben@pilot.msu.edu>
Cc: Debian User List <debian-user@lists.debian.org>
Cc: Debian User List <debian-user@lists.debian.org>, Alain Toussaint <alaint@boisfrancs.qc.ca>
Subject: Re: securing debian
From: hospedales@wow.net
Date: Sun, 26 Apr 1998 17:55:47 -0400 (AST)
Message-id: <XFMail.980426175547.hospedales@wow.net>
Reply-to: hospedales@wow.net
In-reply-to: <87lnstjun7.fsf@pfaffben.user.msu.edu>

        I would like to make my Debian box use shadow passwords since it is
allways on the 'Net. Firstly, how do I turn on shadow passwords in debian?
Secondly, will this affect my pppd, proftpd, telnetd, apache or other daemons?
Thanks,
Timothy Hospedales

BTW, I was reading the Shadow-HOWTO and it says
<SNIP>
System crackers know all this, and will simply encrypt a dictionary of words
and common passwords using all possible 4096 salt values. Then they will
compare the encoded passwords in your
/etc/passwd file with their database. Once they have found a match, they have
the password for another account. This is referred to as a dictionary attack,
and is one of the most common methods
for gaining or expanding unauthorized access to a system.

If you think about it, an 8 character password encodes to 4096 * 13 character
strings. So a dictionary of say 400,000 common words, names, passwords, and
simple variations would easily fit on a
4GB hard drive. The attacker need only sort them, and then check for matches.
Since a 4GB hard drive can be had for under $1000.00, this is well within the
means of most system crackers.
</SNIP>

        If a 4GB drive and lots of time are all it takes, how do any systems at
all w/o shadow passwords avoid breakins?

<SNIP>
Also, if a cracker obtains your /etc/passwd file first, they only need to
encode the dictionary with the salt values actually contained in your
/etc/passwd file. This method is usable by your
average teenager with a couple of hundred spare Megabytes and a 486 class
computer.
</SNIP>
        
        Since /etc/passwd is world readable, then it sould not be a problem to
break into any non-shadow system?

Yes, i'm clueless about security having used Windoze all my life until
afew months ago when I first heard about Linux! So thanks for any advice!

----------------------------------
E-Mail: hospedales@wow.net
Date: 26-Apr-98
Time: 17:36:50

This message was sent by XFMail.
Powered by GNU/Linux 2.0.
----------------------------------


--
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: securing debian
  - From: Carl Mummert <mummert@tinuviel.cs.wcu.edu>
- Re: securing debian
  - From: Bob Hilliard <hilliard@flinet.com>

References:
- Re: securing debian
  - From: Ben Pfaff <pfaffben@pilot.msu.edu>

Prev by Date: Re: A funny little mistake
Next by Date: Re: securing debian
Previous by thread: Re: securing debian
Next by thread: Re: securing debian
Index(es):
- Date
- Thread