Path: utzoo!utgpu!news-server.csri.toronto.edu!mailrus!uwm.edu!zaphod.mps.ohio-state.edu!usc!ucsd!ucbvax!WLV.IMSD.CONTEL.COM!sms From: sms@WLV.IMSD.CONTEL.COM (Steven M. Schultz) Newsgroups: comp.protocols.tcp-ip Subject: Re: abolishing /etc/passwd (was Re: anonymous ftp, and the dangers thereof) Message-ID: <9006072058.AA06071@WLV.IMSD.CONTEL.COM> Date: 7 Jun 90 20:58:40 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 46 Dennis: >From drears@PICA.ARMY.MIL Thu Jun 7 13:16:46 1990 >>"Steven M. Schultz" writes: >> just a "thought" - if the (shadow)file is non-world readable and the >> system is administered "correctly" then why bother with >> encryption at all ;-) > > Just in case one of the system admins is a bad guy or becomes a >bad guy. I have three passwords for 30+ systems of which I only >administrate 12 of them. If my password was available in the clear to >system administrators on the other machines, they would have my passwords >to all my accounts which is not a good idea. Also, what do you do when >you fire a system administrator for bad conduct? If he had access to >those clear passwords, every password would have to be changed. i thought i was being only semi-serious... guess i didn't make that clear enough. the thought at the time was that the file being non-world readable excludes any one BUT a sysadmin from even knowing if there is a password present, much less whether it's encrypted or not. besides the sysadmin is being trusted not install password snarfing versions of programs, isn't he? after obtaining (or already posessing) sufficient privs to read the "non-world readable file" a person (sysadmin or badguy) neither knows nor cares what passwords are - at that point the person can do anything he wants to. do the other sysadmins have sysadmin privs on the system(s) you administer? if not, then they wouldn't be able to read the "non-world readable" file in the first place. if they do have privs on your systems, then they can do anything you can and don't need to know the passwords anyhow. you mean you don't change passwords when sysadm types leave (especially when they're TOLD to leave)? when someone is as trusted a capacity as that leaves (on bad terms especially) i'd think that there'd be a fair amount of concern over possible dummy privd account left behind, and the like. no, i'm not advocating removal of encryption. Steven