LinuxSA Mailing list archives

  From: Przychodzen, Jase (DOT) <Jase.PRZYCHODZEN@roads.sa.gov.au>
  To  : 'linuxsa@linuxsa.org.au' <linuxsa@linuxsa.org.au>
  Date: Wed, 02 Jul 1997 10:37:10 +0930

RE: Shadow Passwords

>----------
>From: 	Peter McCarthy[SMTP:mccarthy@mail.austasia.net]
>Sent: 	Wednesday, 2 July 1997 9:37
>To: 	'Linux Red Hat'
>Subject: 	Shadow Passwords
>
>Hi all, I have been reading with great interest the last few messages on
>security as I am about to put my box online, thanx for that.
>I used to use slackware but have just gone over to Red Hat to see what all
>the fuss is about :) so expect to see a few questions from me till I find my
>footing.
>One such question is about shadow passwords. What are they and how are they
>used ? I am proboably showing my ignorance here but I have never come accross
>them before.  Thanx

One of the more apparent and exploitable flaws in unix security (some
would say that is an oxymoron)
is the ability of anyone with even basic computer skills to run a
password cracker on the password list.

The best way to address it (besides choosing very long and cryptic
passwords) is to set up shadowed passwords
on your box.
All the entries in you password files will look like:
root:*:...
instead of
root:AJka18A0901ag:...

There will be another 'real' password file on your system (on HPs its in
/.secure dir) the access rights to that file
are that of a root user. 

As far as I know the only way you can get at this one is by using very
obscure bugs in the OS (correction anyone?).