Path: utzoo!mnetor!uunet!husc6!cmcl2!brl-adm!brl-smoke!gwyn
From: gwyn@brl-smoke.ARPA (Doug Gwyn )
Newsgroups: sci.crypt
Subject: Re: Re: Unix Password Hacker
Message-ID: <7317@brl-smoke.ARPA>
Date: 22 Feb 88 17:22:19 GMT
References: <731@ddsw1.UUCP> <657@morningdew.BBN.COM> <24582@cca.CCA.COM> <7271@brl-smoke.ARPA> <205@tijc02.UUCP>
Reply-To: gwyn@brl.arpa (Doug Gwyn (VLD/VMB) <gwyn>)
Distribution: na
Organization: Ballistic Research Lab (BRL), APG, MD.
Lines: 18

In article <205@tijc02.UUCP> pjs269@tijc02.UUCP (Paul Schmidt        ) writes:
>> Much better is simply keeping the encrypted passwords in a file that is
>> not publicly readable.  ...
>Unfortunately you cannot do this in UNIX System V (as soon as you do, it
>is no longer System V).  I don't know about other UNIX systems.
>"The IEEE Trial-Use Standard for Portable Operating System for Computer
>Environments" will also need read privelege on the password file.  It seems
>some operating systems have ignored your suggestion in the past and will
>continue to do so.

You're wrong.  The SVID permits an empty field in /etc/passwd with the
real passwords stored elsewhere (I suggested "*" in the field, rather
than empty, because currently an empty field is taken to mean that no
password is required).  IEEE 1003.1 (POSIX) no longer requires the
password to be stored in /etc/passwd either.

It seems some operating system specifiers agree with my suggestion now
and will continue to do so.