[40] in linux-security and linux-alert archive
Re: Shadow Passwords?
daemon@ATHENA.MIT.EDU (Piers Cawley)
Tue Mar 7 07:41:23 1995
Date: Tue, 7 Mar 1995 10:14:31 +0000 (GMT)
From: Piers Cawley <pdcawley@ftech.co.uk>
To: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <199503062005.PAA00229@mykonos.rc.rit.edu>
Reply-To: linux-security@tarsier.cv.nrao.edu
On Mon, 6 Mar 1995, Kyriakos Georgiou wrote:
> Point well taken about shadow passwds, but..
> Lots of existing programs/utilities rely on the 'normal' /etv/passwd
> I guess the drawback of shadow'ing is the need of shadow-aware
> daemons/programs.
There's not /that/ much stuff that legitimately needs access to password
field of the passwd file... (Although I did get caught out when I
supplied a customer with a copy of popper which had been compiled for the
shadow passwords he didn't have...)
> A cute solution is a smarter 'passwd' program (don't allow dictionary
> words, follow simple rules which make brute force cracking impossible,
> yet such passwd restrictions may be unacceptable by users :-)
Can I just put a word in here for the perl based passwd program that's in
the back of the camel book? This is smart enough to work with either
shadow or standard password files and has a bewildering variety of checks
available to build a safe password. It's also a damn sight better than
the shadow suite's version of passwd which restricts the search space by
insisting on a minimum length, a number or two, and mixed case... Larry's
just throws out your password if it's not safe, with some explanation as
to why.
Piers Cawley -- Systems Sheriff on the Frontier Internet Service
Frontier Internet -- Sellers of Web Space and Internet Connectivity
