Path: utzoo!utgpu!watmath!clyde!att!osu-cis!killer!rpp386!jfh From: jfh@rpp386.Dallas.TX.US (The Beach Bum) Newsgroups: comp.unix.wizards Subject: Re: Password security - Another idea Summary: /etc/privates ... yet another idea whose time has come? Message-ID: <10630@rpp386.Dallas.TX.US> Date: 3 Jan 89 05:15:45 GMT References: <228@sea375.UUCP> <4497@xenna.Encore.COM> <4537@xenna.Encore.COM> <2803@cbnews.ATT.COM> <11056@ulysses.homer.nj.att.com> Reply-To: jfh@rpp386.Dallas.TX.US (The Beach Bum) Organization: Big "D" Home for Wayward Hackers Lines: 32 In article <11056@ulysses.homer.nj.att.com> smb@ulysses.homer.nj.att.com (Steven M. Bellovin) writes: >In article <2803@cbnews.ATT.COM>, res@cbnews.ATT.COM (Robert E. Stampfli) writes: >> Can anyone think of a good reason why either of the following should not be >> done on systems that employ a shadow password file: >> >> 1. Provide a program which returns the encrypted version of the password >> for the uid (or euid) that invokes it. > >I see no reason to make this available; provide a server which checks >for a match instead. Agreed. The encrypted password should not be made available, and the encryption method should be selectable from a variety of methods, or the internal key [ constant portion ] should be readily modifiable. Let's not make things any easier than need be. On the similiar vein - It would appear that AT&T is playing with a new version of shadow passwords with yet another file layout. This version includes password expiration warning information and login administration fields in one big mess of an entry in a completely new file - /etc/privates. There is a command - rdpriv - which provides user access to the privates file, but does not return the user's encrypted password, only the password aging information. This now leaves us with three completely incompatible formats in the USG universe ... -- John F. Haugh II +-Quote of the Week:------------------- VoiceNet: (214) 250-3311 Data: -6272 |"Anything on the road which can be InterNet: jfh@rpp386.Dallas.TX.US | hit, will be ..." UucpNet : !killer!rpp386!jfh +--------------------------------------