crypt function mode

[Martin]

> On Wed, Apr 22, 2009 at 10:07 PM, Martin <inkubus at interalpha.co.uk> wrote:
> > <snip>
> >> >> I think enabling shadow passwds(using pwconv) and MD5 hashes
> >> >> (etc/sysconfig/authconfig) would be enough as the first step.
> >> > Shadow passwords and using the MD5 based version of crypt are both
> >> good
> >> > ideas and an improvement - whether they will be enough rather
> >> depends on
> >> > your security policy.
> >> >
> >> [Pavan] I consider this change as my first step. I have to enable
> >> symmetrically encrypted passwords (which can be decrypted and use for
> >> other purposes)
> > Such as?  Passwords should only be used for authentication.  Reusing the
> > same token for something else increases the risk of them being
> > compromised.  Keeping passwords hashed is sufficient to perform
> > authentication and acts as an extra layer of defense should the password
> > file / database be compromised.
> >
> [pavan] not sure but something like single-signon
This is authentication.  You can do this via PAM or things like
kerberos.  Personally I like the pam_ssh approach.  Effectively you want
the password to grant some kind of temporary authorisation token and
then use this for subsequent authorisations.

>  or communicating with redundant systems,
Probably best done at system level (invisibly to users) or using
something like single sign on, SSH keys, etc.

What problem are you trying to solve?  If you're doing this for fun / as
a learning exercise then there are, IMHO, more useful things that could
be done with PAM / authentication / crypto.

Cheers,
 - Martin