[49] in linux-security and linux-alert archive
Re: Shadow Passwords?
daemon@ATHENA.MIT.EDU (Bruce Thompson)
Tue Mar 7 15:44:06 1995
Date: Tue, 7 Mar 1995 09:47:26 -0800
To: linux-security@tarsier.cv.nrao.edu
From: bruce@newton.apple.com (Bruce Thompson)
Reply-To: linux-security@tarsier.cv.nrao.edu
>Date: Mon, 6 Mar 1995 19:59:16 -0500
>From: Rik Faith <faith@cs.unc.edu>
>
>In general the "shadow password" technique is set up as follows: For all
>entries in the /etc/passwd file, the encrypted passwords are moved to
>another file, such as /etc/shadow. While /etc/passwd needs to be readable
>by the anyone on the system, /etc/shadow needs only to be readable by a
>restricted group, perhaps only the superuser. This is supposed to keep
>adversaries from obtaining the encrypted password list and running a
>dictionary attack against it.
>
>This idea of "information hiding" is one of many techniques that broadly
>fit under the category of "security through obscurity." Based on people
>who I have talked with in the Linux community, there are two main opinions
>about "security through obscurity": 1) it might help and it can't hurt, so
>let's use it; and 2) it actually can hurt because it provides a false sense
>of security and should not be used.
>
[
I've cut out a whole section on why a proactive password program is a
good thing. My comments are _not_ directed towards that section, which I
whole-heartedly agree with.
]
Though I don't necessarily endorse the particular implementation of shadow
passwords under discussion, I must disagree with some of the analysis
above.
The whole point of shadow passwords are to prevent _unprivileged_ access to
the encrypted passwords. If an attacker has root access, your system is
already compromised. It no longer matters whether the attacker can see the
encrypted passwords.
If an unprivileged attacker cannot read the encrypted passwords, then a
dictionary attack cannot be attempted. Preventing a dictionary attack
closes one of the biggest holes in password security.
This should not be confused with so-called "security by obscurity". In
common usage, "security by obscurity" relates to the practice of not
publishing details of how to exploit weaknesses in various system. For
example, the infamous DEBUG bug in Sendmail of a few years ago could be
exploited by _unprivileged_ users to gain root access to a system. Relying
on the fact that few people knew how to exploit the bug is "security by
obscurity". The information hiding that a shadow suite provides is, most
emphaticly not. In general, "security by obscurity" is a smokescreen, no
substance. A shadow suite however does indeed provide some real protection.
Cheers,
Bruce.
-----------------------------------------------------------------------------
Bruce Thompson | "Never put off until tomorrow what you can
PIE Developer Information Group | comfortably put off til next week"
Apple Computer Inc. | -- Unknown
408 974 8018 |
bruce@newton.apple.com |
AppleLink: bthompson |
