Very Computer

|Trying to settle an internal argument here.
|
|Can anyone give me a good argument for the use of shadow passwords versus
|non-shadowed passwords?
|
|I know that use of the shadow files are better security than non-shadowed
|files, but I'm looking for kind of a checklist of reasons why it is better.

Shadowed passwords make it harder for a less skilled cracker to
get the passwd file to run a password cracking program (which tries
dictionary words and the like on the hashed passwords) on.  A skilled
cracker, or one who at least knows where to get various root exploit
programs, can probably gain root access anyway if the system administrator
is not careful (once root access is gained, one can get the shadow
password file if one wants to get the passwords for cracking).

Whether shadowed passwords are used or not, users should be taught to
choose good passwords (not in dictionaries, not based on their names,
etc.).  Some passwd-replacement programs are available which do
dictionary checks against new passwords and reject them if they are
found in the dictionaries.  Of course, the system administrator can
run a password cracking program and warn users whose passwords were
found to be crackable.

Some OSes use password hashing algorithms that are slower (i.e. would
require more time to do a dictionary-based crack) than the old
DES-based hash (e.g. FreeBSD can use an MD5-based hash, while OpenBSD
can use either that or a Blowfish-based hash).

|Also, we have many admins here who were taught to vi the passwd file to add
|users.  I was taught to not vi the passwd file, rather to use the system
|utilities such as useradd (HP-UX) , mkuser (AIX), etc. to add users.  It seems
|to me that using vi to add users (not vipw - that would be smarter, for sure,
|but it also does pwck and pwconv to shadow) is just bad business.

Given the existence of shadow password files (Solaris, AIX, BSD) and
password databases (BSD), using vipw or the programs designated for
editing password files is a much better idea than using vi, which
makes it easier to forget to do something like ensure that the shadow
password file or password database is consistent with /etc/passwd .

--
------------------------------------------------------------------------

Unsolicited bulk or commercial email is not welcome.             netcom.com
No warranty of any kind is provided with this message.

One reason only, but it's a big one. Since many unix services rely on
reading the /etc/passwd file (without actually needing the password),
it is usually world-readable. So if you actually store the password
there, any hacker can download it and spend as much of his own CPU
as he likes trying to break some of your passwords. OTOH the shadow
file is usually only readable by root, so it's much harder for your
average hacker to grab a copy. 'Nuff said?

It is a compromise between more openness and
more security.  With shadow passwords, you
can make /etc/passwd world readable, so
programs like "finger" can work as regular
users, and make /etc/shadow protected, so
normal users cannot download it to run CPU
intensive password crackers on.

Quote:> Also, we have many admins here who were taught
> to vi the passwd file to add users.  I was
> taught ... to use the system utilities such as
> useradd ...
> It seems to me that using vi to add users (not
> vipw - that would be smarter, for sure, but it
> also does pwck and pwconv to shadow) is just
> bad business.

Life is a compromise.

Pure vi: Not only do you get rope to hang yourself
with, but it is a nice strong thin garroting cable!
This is fine when you INTEND to cut quickly, like
switching from an NIS master to an NIS client on
a system in maintenance mode.  No hand holding, no
chance to warn about the password file being in use
if other users wish to change their passwords, and
no obstacles to making massive changes with a
single regular expression.

vipw: Extremely efficient for highly skilled users.

adduser, etc: Can be used by semi-skilled workers.

Pick your skill level, pick the purpose you wish to
accomplish, then pick the tool to use.  Sometimes
that's a GUI to add a single user on a single
machine, and sometimes it is a table drive loop
that uses sed on hundreds of machines.

Doug Freyburger, Collective Technologies

Huh?  /etc/passwd *must* be world readable.  
In fact, /etc/passwd is accessed
every time you do an "ls -l"--it translates the uids
of the owners into userids.

That's the main reason for shadow password--
the shadow file gets everything that doesn't
need to be world-readable out of /etc/passwd.

                       Chris Mattern