Path: utzoo!utgpu!jarvis.csri.toronto.edu!cs.utexas.edu!uunet!ncrlnk!ncrcce!mercer From: mercer@ncrcce.StPaul.NCR.COM (Dan Mercer) Newsgroups: comp.unix.questions Subject: Re: passwds and crypt(3)... Message-ID: <1814@ncrcce.StPaul.NCR.COM> Date: 3 Jan 90 22:45:36 GMT References: <21913@adm.BRL.MIL> <1990Jan2.222052.915@athena.mit.edu> Reply-To: mercer@ncrcce.StPaul.NCR.COM (Dan Mercer) Organization: NCR Comten, Inc. Lines: 89 Keywords: In article <1990Jan2.222052.915@athena.mit.edu> jik@athena.mit.edu (Jonathan I. Kamens) writes: :In article <21913@adm.BRL.MIL>, mwood!attcc!hpn@att.att.com writes: :> I don't understand the meaning behind use the /etc/shadow file. All it does :> is holds the encrypted passwords, right? (like, AkhjfuDe2,md ) :> What's the use? : : I noticed that someone else gave a brief explanation of why publicly :readable encrypted passwords can be a bad thing, but it wasn't very :thorough, so I want to give a more detailed explanation. This is :comp.unix.questions, and not comp.unix.wizards, after all. : : The password entries in the /etc/passwd file actually consist of two :pieces of information. The first two characters are the "seed", which :are fed to the crypt() library function (see the man page for it for :more information) along with your plain-text password when the password :is encrypte. The seed is used by the crypt() function to perturb the :encryption algorithm in a way that will make different seeds produce :different encrypted password string. More on the purpose of that later. : : The other characters (usually 11 of them) of the string in the :/etc/passwd file are the encrypted password. : : Now, let's say that someone wants to break into your account, and :since they don't know the various security holes that could allow them :to become the super-user on any Unix machine :-), they want to do so by :finding out what your password is. They have the following tools to help them: : : 1. A dictionary of commonly used passwords. : 2. A very fast machine to work on at their leisure (not a mandatory thing, : but good to have. : 3. A program to use to break your password. : :What the program does it take each word in the password dictionary and :encrypt it using the seed in the /etc/passwd file. Then, it checks if :the encrypted string which is returned is the same as your encrypted :password string, and if it is, it has found your password! : : Now, a few notes about this method of attack. First of all, the :crypt() library routine is specifically designed to be slow, even on a :fast machine. There are MUCH faster crypt() routines available, and the :attacker may be using one of those routines instead of the default Unix :version. : : Second, the seed plays an important role in making an attack on the :/etc/passwd file more difficult. If the crypt() routine did not use :seeds, then the attacker would have a much easier time of it -- all he :would have to do is encrypt the entire dictionary once, and then store :the resulting database of passwords and associated encrypted strings in :a file somewhere. Then, he could compare each encrypted string to each :encrypted string in the /etc/passwd file and thus find out a lot of :passwords. The seed mechanism thwarts this by giving users different :seeds (there are 4096 different possible seeds, although in practice it :is not normal for even close to that many different seeds to actually :get used -- another problem), so that each possible password must be :encrypted in each user's seed in order to check if it is the correct password. : : So, this brings us to the question, "What is the advantage of an :/etc/shadow file?" If the encrypted password strings are removed from :the /etc/passwd file and placed in /etc/shadow instead, then an attacker :can't use the mechanisms described above in order to figure out :someone's password, since he doesn't have the encrypted password strings :to work with. : :Jonathan Kamens USnail: :MIT Project Athena 11 Ashford Terrace :jik@Athena.MIT.EDU Allston, MA 02134 :Office: 617-253-4261 Home: 617-782-0710 Check out Cliff Stoll's great book the _Cuckoo's Egg_ in which he describes how he unearthed a West German spy ring preying on the ARPANET. One of the first thing the intruder did was to steal /etc/passwd. He seemed to have no trouble at all cracking passwords using the methods you described. Of course, simply choosing intelligent passwords would have prevented this - no words appearing in dictionaries - no proper names - interspersing alphabeticals with numerics or control characters. Of course, a lot of the breakins came from no passwords assigned at all. Anyway, great book. Must read for anyone in this business. Hell, great book for anyone period. -- Dan Mercer Reply-To: mercer@ncrcce.StPaul.NCR.COM (Dan Mercer)