[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pwdb breakage



On Sat, 31 May 1997, Cristian Gafton wrote:

> On Sat, 31 May 1997, Erik Troan wrote:
> 
> > Too many places still just rdist /etc/passwd. We want Red Hat to look like
> > the majority of other Unix platformas which means no shadow passwords or
> > md5 passwords by default. 
> 
> ... which gives you a large amount of 'Linux is not even using shadow
> passwords, how can you tell that it is secure ?!' - like type of messages.
> Do you still want to get this ? What is the alternative ? Just claim that
> 'it is more secure now, upgrade your setting if you need to.'
> 
> To a point, this is a matter of how do you _sell_ things like this... :-)

Okay, so I guess we do still need to support non-shadowed systems...

I would suggest adding something to the actual installation program that
says "Would you like to enable Shadow Passwords?  This will greatly
enhance the security of your system.  If you are not sure, answer Yes."
And maybe even "Most Unix systems only have 8-character passwords.  Red
Hat Linux gives you the choice to use more than 8 characters for your
passwords.  This will also enhance system security.  Would you like to
enable this?"

Now Red Hat Linux has "4 times the security of other Unix/Linux
distributions"...

++++++++++++++++++++++++

Quick question about MD5 -- I know what an MD5 checksum is... but
I'm not exactly sure what MD5 would do for passwords.  I think the
above is correct, but I'm not sure.

Can somebody point me to information on this or explain it to me.
I know the standard 'crypt' command uses a 2-char salt and then an
8-char password.  Then I've heard of references to big_crypt and
md5.

Is there any currently reliable way (in RHL4.2) to have bigger than
8 character passwords?  I know in my /etc/shadow:
root:XXXXXXXXXXXXX:10009:-1:-1:-1:-1:-1:0
kirk:XXXXXXXXXXXXX:9991:-1:-1:-1:-1:-1:0
tim:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:9970:-1:-1:-1:-1:-1:-1073743160

It looks like the user 'tim' has more signifigant digits for his
password than either 'root' or 'kirk'.  Those last 2 are my accounts...
but how come when I change my password I get only the standard passwords?
Somehow, this 'tim' user (and one other user) managed to get a different
encryption scheme for himself... I don't know how he did it and I don't
know how to recreate it. 

Then again, I've played w/ many versions of PAM... maybe one of the
versions I had installed at one time did this...

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Kirk Bauer -- Georgia Tech -- kirk@kaybee.org <== Finger for PGP
   http://www.kaybee.org/~kirk/html        ResNet RTA



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []