[62] in linux-security and linux-alert archive
Re: Shadow discussions ... don't forget skey
daemon@ATHENA.MIT.EDU (Tom Dunigan 576-2522)
Wed Mar 8 11:53:27 1995
Date: Wed, 8 Mar 1995 07:39:23 -0500
From: Tom Dunigan 576-2522 <dunigan@thdsun.epm.ornl.gov>
To: linux-security@tarsier.cv.nrao.edu
Reply-To: linux-security@tarsier.cv.nrao.edu
>I have the feeling this discussion about shadow passwords is not
>leading anywhere useful at the moment. As Rik explained, there are
>good reasons why the shadow suite has been removed from most Linux
>distributions, and I would expect things to stay that way. There are
>better alternatives; proactive checking being but one. Another is
>Kerberos.
Strong passwords, shadowed, and kerberized are still vulnerable
to sniffer attacks. You should consider one-time passwords
if you have users logging in to your linux boxes from
remote sites (e.g., universities). Hackers have elegant
sniffer programs that capture clear text passwords off
LANs.
We use the skey (soft key, one-time passwords) on our linux
boxes and other Unix boxes. Various mods for skey have
appeared on sunsite. We just patched login.c and wu.ftpd.c
and replaced su with keysu to implement skey on linux.
skey doesn't require any hardware or a "card".
skey is part of logdaemon package and uses tcpwrappers, see
ftp://ftp.win.tue.nl/pub/security
original skey stuff was developed at Bellcore, see
ftp://ftp.bellcore.com/pub/nmh
and see the postscript paper there:
ftp://ftp.bellcore.com/pub/nmh/docs/ISOC.symp.ps
and RFC 1760 ftp://ds.internic.net/rfc/rfc1760.txt
Tom
