crypt function mode

Wed Apr 22 05:33:55 UTC 2009

On Wed, Apr 22, 2009 at 2:48 AM, Martin <inkubus at interalpha.co.uk> wrote:
> On Sun, 2009-04-19 at 12:00 -0400, pam-list-request at redhat.com wrote:
>> >> Hi All,
>> >> Can anyone please let me know what block ciphers mode( Electronic
>> >> Codebook Mode (ECB) , Cipher Blockchaining Mode (CBC),..)
>> >>  does the crypt function used in pam_unix use.
>> > It doesn't.  These are for symmetric encryption, the crypt function
>> uses
>> > them as a one way hash (that why the later versions use MD5).
>> >
>> [Pavan] Thanks Martin. I was bit confused when it says that crypt uses
>> modified form of DES algorithm
>> (http://en.wikipedia.org/wiki/Crypt_(Unix)#Modifications_of_the_traditional_scheme).
>>
>> So these cipher modes are not applicable for storing/verifying
>> passwords using crypt.
> No - they are a tool for a different job.
>
>>  My requirement is to make  passwds more secure.
> More secure against what?  Security is not a linear variable.  The
> storage format of the password hashes is almost certainly not the
> weakest link in the chain.
>
>> I think enabling shadow passwds(using pwconv) and MD5 hashes
>> (etc/sysconfig/authconfig) would be enough as the first step.
> Shadow passwords and using the MD5 based version of crypt are both good
> ideas and an improvement - whether they will be enough rather depends on
> your security policy.
>
[Pavan] I consider this change as my first step. I have to enable
symmetrically encrypted passwords (which can be decrypted and use for
other purposes) which are used on all the interfaces (telnet, ssh,
ftp,..) for authentication.
I am trying to figure out, if this can be achieved easily using
pam_unix module. I will investigate this further and let you know my
findings.

Thanks for your help.

> Cheers,
>  - Martin
>
>
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
>