[Linux-disciples] Shadow passwords and NIS
Dylan Thurston
dpt at exoskeleton.math.harvard.edu
Wed Jun 9 00:29:07 EDT 2004
On Tue, Jun 08, 2004 at 10:53:19PM -0400, Stephen R Laniel wrote:
> On Tue, Jun 08, 2004 at 07:35:56PM -0400, Dylan Thurston wrote:
> > Why use shadow passwords at all? If you use md5 passwords and everyone
> > uses secure passwords (as they should anyway), it's still secure.
>
> Ah. Here's where I discover my ignorance. See, I thought
> that *all* Linux passwords were shadow passwords. By 'shadow
> password', I thought we just meant 'a file that stores
> encrypted copies of the passwords on disk.' And since no one
> stores cleartext passwords on disk, I thought that we were
> all in some way or another using shadow passwords.
No. 'shadow password file' means 'a _read-protected_ file that
stores...' Traditionally, the encrypted passwords were stored in
/etc/passwd, which contains other information that must be
world-readable. Then somebody decided that this was a bad idea, since
an attacker could take the password file and try to crack it off-line;
so the password information from /etc/passwd was moved into /etc/shadow,
which contains only the password information and is not world-readable.
See 'pwconv' and 'pwunconv'.
> So: where should I read about how passwords *actually* work?
> 'apropos md5' only gives the list below, which doesn't seem
> to be what I want.
I'm not sure what in the list enables this, but on Debian you say 'yes'
to 'Enable md5 passwords'. I think it's a debconf question in
base-files.
Peace,
Dylan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.bostoncoop.net/pipermail/linux-disciples/attachments/20040609/5a56fde6/attachment.pgp
More information about the Linux-disciples
mailing list