shadow and password , can you help me ?

Nifty Hat Mitch mitch48 at sbcglobal.net
Wed Sep 8 05:45:49 UTC 2004 

On Mon, Sep 06, 2004 at 08:01:55AM +0200, priou wrote:
> Le lundi 06 Septembre 2004 00:43, Alexander Dalloz a écrit :
> > Am So, den 05.09.2004 schrieb priou um 23:10:

> > >   i ve need to read , some passwd in my serveur ftp , but they are
> > > crypted with shadow and i would like to make this :
> > >
> > >    password_shadow ----> password_read_humain (printed on my screen )
> > >
> > >    exemple :
> > >       $1$59BDQjvM$WCC3rboNRyuRsDzV.bHHF1  =>  dodou
> >
> > That is impossible. You can't revert crypted passwords back to the
> > original string.
> >
> > See "man crypt".
> 
> ok :( 
> our  ftp customers will not be happy ...

Sell your customers a positive strong security answer.

Let them know that their pass words are  encrypted with a strong
set of tools that requires years of computer time to decrypt.  These
tools never save pass words in unencrypted form.   Thus they are well
protected from pass word hackers by your process and tools.

Let then know that you will be happy to reset their password (with
correct authentication)....  You do have a process and tool to reset
the pass words?

What this means is that even if an intruder obtains temporary read
access to parts of the machine they do not have access to clear text
pass words.

See mkpasswd: to generate a unique secret word if you need it.

CAUTION: It is true that tools like crack will automate stupid user
tricks to generate long lists of common but weak pass words to test.
If your ftp users select bad pass words a 'cracker' might with some
effort find the key if a hacker exposed the encrypted passwd file.

In my limited experience 20-30% of a large passwd file (etc/shadow)
could be cracked in a day or two.  40% in a week or two on a fast
machine.    Beyond that it was brute strength and luck...

Well chosen (and tested) root and system admin pass words keep
(etc/shadow) well hidden.

Recall what I said that pass words above "...are well protected from
pass word hackers by your process and tools."  Your good process and
tools does not protect from uneducated users that select bad magic
words....



-- 
	T o m  M i t c h e l l 
	Just say no to 74LS73 in 2004

More information about the fedora-list mailing list