[9] in linux-security and linux-alert archive
Re: Shadow Passwords?
daemon@ATHENA.MIT.EDU (Daniel Hollis)
Mon Mar 6 06:35:54 1995
From: dhollis@hq.jcic.org (Daniel Hollis)
To: linux-security@tarsier.cv.nrao.edu
Date: Sun, 5 Mar 1995 22:21:33 -0800 (PST)
In-Reply-To: <Pine.ULT.3.91.950305195435.16668A-100000@atto.engr.mun.ca> from "Don Bennett" at Mar 5, 95 07:59:45 pm
Reply-To: linux-security@tarsier.cv.nrao.edu
> Would someone either tell me or point me towards a FAQ on shadow
> passwords? I'd like too know what exactly they are and how I implement
> them on my Linux box. I've beenm using Linux for about a year now, so
> I'm not entirely green. Last time I checked, there wasn't a Security or
> Shadow HOWTO. Thanks for your help.
One of the most common hacker techniques is grabbing your /etc/passwd and
running it against a dictionary. This only reveals poorly chosen
passwords, but should not be possible at all. Shadow passwords defeat this.
Shadow passwords remove the encrypted password field from /etc/passwd
completely, and put it into a non-world-readable file. There are other
advantages to using the shadow password suite such as better logging, and
password expiration, etc.
Unfortunately the shadow password suite is not very well documented. but
all you have to do is 'make' the package, 'make install', then 'make pwconv'.
Run the pwconv program while in /etc. It will create two files, npasswd
and nshadow. Just mv npasswd passwd and mv nshadow shadow and you're set.
Oh, be sure to put the login.defs file into /etc and edit it, otherwise
you won't be able to login :)
You will need replacement shadow-aware daemons for a number of programs
however. ftp, pop (if you run a pop server), xdm (if you run xdm), etc.
Generally anything that has to do with passwords. Including adduser. The
shadow suite provides replacement login program so you don't have to
worry about login.
-Dan
