[16] in linux-security and linux-alert archive
Re: Shadow Passwords?
daemon@ATHENA.MIT.EDU (Olaf Kirch)
Mon Mar 6 17:23:40 1995
From: okir@monad.swb.de (Olaf Kirch)
To: linux-security@tarsier.cv.nrao.edu
Date: Mon, 6 Mar 1995 21:14:39 +0100 (MET)
In-Reply-To: <199503061750.MAA02242@portal.stwing.upenn.edu> from "Roman Gollent" at Mar 6, 95 12:50:08 pm
Reply-To: linux-security@tarsier.cv.nrao.edu
Thus spake thou, Roman Gollent:
>
> I was wondering if there was ever going to be a move to make shadowing
> a standard, ie: Have all distributions come with shadowing by
> default. Since there are many other Un*x os that come with shadowing
> turned on, why can't the same be done for Linux distributions, or at
> least the popular ones? This isn't a criticism, just an open question.
>
There used to be some flamage over the copyright status of JF Haugh's
shadow suite. As a consequence, he took part of the library and released
it under the GPL; it's basically the set/getspent group of functions.
In my opinion, shadow passwords can't be the ultimate in password
security. The biggest problem I see with them is that they're moot in
a YP environment. Adding a proactive password checker to passwd and
yppasswd instead could give you a big advantage over programs such as
crack that have to chew on the encrypted passwords. Plus it saves you
a lot of hassle with programs you'd otherwise have to modify (rlogind,
rshd, ftpd, xdm, and probably a few more).
I remember there was some talk that the new version of crack would
contain a cracklib that could be easily integrated into other programs.
Does anyone know more about this?
Regards,
Olaf
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
