[rhelv6-list] getent weirdness (was: nscd weirdness)
Stephen John Smoogen
smooge at gmail.com
Thu Dec 9 22:29:16 UTC 2010
On Thu, Dec 9, 2010 at 14:55, Kinzel, David <David.Kinzel at encana.com> wrote:
> What seems wrong is wanting the password hash to be given to regular
> users.
>
> Why?
For many environments this is considered a secure information
disclosure or security incident. I have been at several places where a
user decided that using a for loop to get everything out of getent and
then running crack/john was the best way to spend a weekend. While the
newer hashes provided by RHEL-5/RHEL-6 take longer to crack you can
still get a lot of easy fish over the weekend.
[And if your system must use some old tools/databases for legacy
applications.. you may be stuck with DES hashes for some or all
users.. those are really quick to get.]
--
Stephen J Smoogen.
"The core skill of innovators is error recovery, not failure avoidance."
Randy Nelson, President of Pixar University.
"Let us be kind, one to another, for most of us are fighting a hard
battle." -- Ian MacLaren
More information about the rhelv6-list
mailing list