vendors and password security

vendors and password security

Post by Tom Christians » Sat, 22 Feb 1992 06:56:57



I was wondering whether there are any vendors out there
who ship a shadow-passwd system by default (as opposed
to an add-on).  Also, does anyone ship Kerberos?

--tom

 
 
 

vendors and password security

Post by Jerry M. Carl » Sat, 22 Feb 1992 07:22:05



>I was wondering whether there are any vendors out there
>who ship a shadow-passwd system by default (as opposed
>to an add-on).  Also, does anyone ship Kerberos?

"By default"; Well, you can turn shadow passwords on in AT&T V.3.2 and
later UNIX'es and SUN on 4.1 but they are not turned on as shipped but
the software is available out of the box so I guess they're between
'default' and 'add-on'.

IBM ships Kerberos with their VM/CMS TCP/IP product :-) :-) :-)
I've heard SUN will have it in Solaris 2.0 and its in OSF's DCE but
I don't know of any UNIXes that have it out-of-the-box yet.

--

To dream the impossible dream. To fight the unbeatable foe.

 
 
 

vendors and password security

Post by Dave Qui » Sat, 22 Feb 1992 13:27:06


tom, i do believe that ibm ships their aix with a rough C2
security package installed.  this includes the shadowed
password suite.  however, they (ibm) neglected to take care
of some other points in their shipped software.  i believe
some of the PC based *nix ship with shadowing as well,
i am thinking specifically of SCO's SysV386.

-david

/* this post was constructed virtually all within my self-being */

 
 
 

vendors and password security

Post by Al Cla » Sat, 22 Feb 1992 15:00:45



>I was wondering whether there are any vendors out there
>who ship a shadow-passwd system by default (as opposed
>to an add-on).  Also, does anyone ship Kerberos?

>--tom

IBM AIX 2.2 and up ships with shadowed password file.
--

      *** Commit acts of random kindness and senseless beauty! ***
 
 
 

vendors and password security

Post by Michael Ew » Sun, 23 Feb 1992 03:08:24


|> I was wondering whether there are any vendors out there
|> who ship a shadow-passwd system by default (as opposed
|> to an add-on).  Also, does anyone ship Kerberos?

DEC Ultrix ships with Kerberos and Hesiod.  Shadow passwords is a
feature the administrator may enable.

Mike

--

 Unix Systems Support                 UUCP:  ...!uunet!tekgen.bv.tek.com!mikeew
 Tektronix, Inc.                Compuserve:  73747,2304
"Fig Newton: The force required to accelerate a fig 39.37 inches/sec^2"-J. Hart

 
 
 

vendors and password security

Post by Per Anderss » Sun, 23 Feb 1992 06:38:53



>I was wondering whether there are any vendors out there
>who ship a shadow-passwd system by default (as opposed
>to an add-on).  Also, does anyone ship Kerberos?

Yes, DEC ships kerberos client (and server) with Ultrix, I think 4.0 and newer.
But rumour says you can't compile your own kerberized programs at all, because
of export restrictions, and Dec didn't want to have two versions of Ultrix.
This may have changed since I last checked of course.....

/Per
--

Now working at NobelTech AB, still reading news at the
Royal Institute of Technology.

 
 
 

vendors and password security

Post by peter da sil » Sun, 23 Feb 1992 03:50:43


Intel V.3.2 has shadow passwords turned on "out of the box".
--
-- Peter da Silva,  Ferranti International Controls Corporation
-- Sugar Land, TX  77487-5012;  +1 713 274 5180
-- "Have you hugged your wolf today?"
 
 
 

vendors and password security

Post by Tony Vecc » Sun, 23 Feb 1992 13:16:06



>I was wondering whether there are any vendors out there
>who ship a shadow-passwd system by default (as opposed
>to an add-on).  Also, does anyone ship Kerberos?

>--tom

 Actually SCO ODT has that out of the box when you choose to install
the C2 security option. I just finished upgrading to 1.1.1f from 1.0
and the system is pretty stable even with the extra security installed,
touchy..but stable  :-)

Tony

 
 
 

vendors and password security

Post by Gene Rack » Sun, 23 Feb 1992 23:19:51



Quote:>Intel V.3.2 has shadow passwords turned on "out of the box".
>--

That may be true, but they also have a publicly writable /usr and /etc with too
many other holes to even count.  COPS had a field day on the box when we got it.

-_gene


   Math & Computer Science        voice: 708-252-7126
   Argonne National Lab           FAX:   708-252-5986
   9700 S. Cass Ave. / Argonne, IL  60439

 
 
 

vendors and password security

Post by Jeff Leys » Mon, 24 Feb 1992 02:51:24



!!I was wondering whether there are any vendors out there
!!who ship a shadow-passwd system by default (as opposed
!!to an add-on).

Motorola's Unix for their RISC line of mini's (Sys V/88) has shadows active
by default.
--


 
 
 

vendors and password security

Post by Charles Hann » Tue, 25 Feb 1992 06:55:35




> I was wondering whether there are any vendors out there who ship a
> shadow-passwd system by default (as opposed to an add-on).  Also,
> does anyone ship Kerberos?

AIX 3 (RS/6000) uses shadow passwords by default.  Indeed, trying to
circumvent the mechanism causes problems.

BTW, I once had a discussion with Hal Abelson that went something like
this:

  Q: What about shadow passwords?
  A: No, then they'll just use one of the other dozen ways to break in.

Furthermore, they'll crack root, steal your shadow password file, and
you've gained nothing.

 
 
 

vendors and password security

Post by Win Tree » Tue, 25 Feb 1992 07:36:50



>  Yes, DEC ships kerberos client (and server) with Ultrix, I think 4.0 and newer.
> But rumour says you can't compile your own kerberized programs at all, because
>  of export restrictions, and Dec didn't want to have two versions of Ultrix.
> This may have changed since I last checked of course.....

Since Digital started shipping Kerberos with ULTRIX, it has been
possible to write your own applications.  What you can't do is use the
session key to encrypt user data.  That restriction, of course, comes
from export restrictions.

Win Treese                                              Cambridge Research Lab

 
 
 

vendors and password security

Post by Jerry M. Carl » Wed, 26 Feb 1992 01:53:22



Quote:>BTW, I once had a discussion with Hal Abelson that went something like
>this:
>  Q: What about shadow passwords?
>  A: No, then they'll just use one of the other dozen ways to break in.
>Furthermore, they'll crack root, steal your shadow password file, and
>you've gained nothing.

FLAME ON

The problem is tough so why bother tackling it. Let's just give up. In
fact, we should not tackle any tough problems like polution, war, disease
etc. After all, if we cure one disease, we'll just get another so lets
give up on vaccination, surgery and other forms of medicine. It's all
futile in the long run.

Using the medical analogy shows how utterly stupid the argument is.

FLAME OFF

--

To dream the impossible dream. To fight the unbeatable foe.

 
 
 

vendors and password security

Post by Greg Linda » Wed, 26 Feb 1992 04:28:20




>>  Q: What about shadow passwords?
>>  A: No, then they'll just use one of the other dozen ways to break in.
>>Furthermore, they'll crack root, steal your shadow password file, and
>>you've gained nothing.

>FLAME ON

Why are you flaming him for pointing out something obvious? Security
through obscurity is *not* a fix; if you want to maybe possibly
protect your passwords, you must not only use shadow passwords but
also educate your users about picking good passwords, and test the
passwords that they pick. You must also worry about non-password
security holes. Flaming people here won't increase your security.

--
Signature virii are lame.

 
 
 

vendors and password security

Post by Al Cla » Wed, 26 Feb 1992 06:47:29





>>>  Q: What about shadow passwords?
>>>  A: No, then they'll just use one of the other dozen ways to break in.
>>>Furthermore, they'll crack root, steal your shadow password file, and
>>>you've gained nothing.

>>FLAME ON

>Why are you flaming him for pointing out something obvious? Security
>through obscurity is *not* a fix; if you want to maybe possibly
>protect your passwords, you must not only use shadow passwords but
>also educate your users about picking good passwords, and test the
>passwords that they pick. You must also worry about non-password
>security holes. Flaming people here won't increase your security.

I suspect he knows that; he was just venting (I think that is what
FLAME ON means).  Your point is well taken, at the risk of creating
a timeless saying, "A chain is as weak as its weakest link".  And
lack of a shadowed password file is a major weak link.  He is,
(or maybe its my own feelings leaking through), railing at people
who try to justify not fixing a link by saying, in effect,
"Why fix this link, somebody will just find another weak one".  
Actually, I just realized, maybe you are both saying the same thing,
but you object to his emotional outburst.  Oh well, ...

--

      *** Commit acts of random kindness and senseless beauty! ***