[24] in linux-security and linux-alert archive
Re: Shadow Passwords?
daemon@ATHENA.MIT.EDU (Ian A. McCloghrie)
Mon Mar 6 20:18:59 1995
To: linux-security@tarsier.cv.nrao.edu
In-reply-to: Message from Roman Gollent <roman@portal.stwing.upenn.edu>
of "Mon, 06 Mar 1995 12:50:08 EST." <199503061750.MAA02242@portal.stwing.upenn.edu>
Date: Mon, 06 Mar 1995 12:51:56 -0800
From: "Ian A. McCloghrie" <ian@egbt.org>
Reply-To: linux-security@tarsier.cv.nrao.edu
On Mar 6, 1995 Roman Gollent wrote:
> I was wondering if there was ever going to be a move to make shadowing
> a standard, ie: Have all distributions come with shadowing by
> default. Since there are many other Un*x os that come with shadowing
> turned on, why can't the same be done for Linux distributions, or at
> least the popular ones? This isn't a criticism, just an open question.
IMHO, the security/cost ratio for shadow passwords is quite low.
The added benefit of hidden encrypted passwords is relatively small,
and the hassle of having to hack every package that wants to do
user authentication before installing it is rather large. Most linux
systems are used by a single person, often not on any network at all,
where the likelihood of having untrustworthy users is quite small.
Shadow passwords don't buy much on your average linux system.
(linux systems being used for Internet Service Providing are another
question entirely, of course).
--
Ian McCloghrie work: ianm@qualcomm.com home: ian@egbt.org
____ GCS d-- H- s+:+ !g p?+ au a- w+ v- C+++$ UL++++ US++$ P+>++
\bi/ L+++ 3 E+ N++ K--- !W--- M-- V-- -po+ Y+ t+ 5+++ jx R G''''
\/ tv- b+++ D- B--- e- u* h- f+ r n+ y*
The above represents my personal opinions and not necessarily those
of my employer, Qualcomm Inc.
