Passwd.pag file

Passwd.pag file

Post by Edward Whi » Sat, 12 Apr 1997 04:00:00



The passwd.pag & passwd.dir files are downloadable from my server, but
not the passwd file itself. Is there any danger of users mounting a
password cracking attack using these two files?

_-=ED=-_

 
 
 

Passwd.pag file

Post by Barry Margoli » Sat, 12 Apr 1997 04:00:00




>The passwd.pag & passwd.dir files are downloadable from my server, but
>not the passwd file itself. Is there any danger of users mounting a
>password cracking attack using these two files?

Definitely.  passwd.pag and passwd.dir contain all the information in the
passwd file, just in a format that's easier to search (a DBM database
rather than a flat text file).  "makedbm -u passwd" will regenerate the
original passwd file from the .pag and .dir files.
--
Barry Margolin
BBN Corporation, Cambridge, MA

(BBN customers, call (800) 632-7638 option 1 for support)

 
 
 

Passwd.pag file

Post by Don Hisco » Sat, 12 Apr 1997 04:00:00


Yes. A simple perl script can get all the entries.


Quote:

>The passwd.pag & passwd.dir files are downloadable from my server, but
>not the passwd file itself. Is there any danger of users mounting a
>password cracking attack using these two files?

>_-=ED=-_

 
 
 

Passwd.pag file

Post by Sam Treg » Mon, 14 Apr 1997 04:00:00


: The passwd.pag & passwd.dir files are downloadable from my server, but
: not the passwd file itself. Is there any danger of users mounting a
: password cracking attack using these two files?

Perhaps you could describe how the passwd file is protected from user
access?  In most cases a password cracking attempt that is carried out
ofline will need to have the passwd file.  It's pretty hard to stop users
from having any access to the passwd files as user level programs must
access its contents.

Oh.  I'm assuming you are running Unix?
-sam

 
 
 

Passwd.pag file

Post by Andy Kruge » Tue, 15 Apr 1997 04:00:00


: The passwd.pag & passwd.dir files are downloadable from my server, but
: not the passwd file itself. Is there any danger of users mounting a
: password cracking attack using these two files?

: _-=ED=-_

One word: yes

The .pag and .dir files are simple DB format files. It takes a simple (about
6 lines? guys?) perl script to generate your passwd file from these.

--
Andy Kruger

----------------------------------------------------------------------------
Disclaimer: I am a sovereign entity on the world-wide computer network known
  as the Internet.  The views expressed above are my own and in no way
 reflect the views of my employers, my clients or anyone associated with
                                  them.
----------------------------------------------------------------------------

PGP public key.

 
 
 

Passwd.pag file

Post by Ian Stirlin » Wed, 16 Apr 1997 04:00:00




: >The passwd.pag & passwd.dir files are downloadable from my server, but
: >not the passwd file itself. Is there any danger of users mounting a
: >password cracking attack using these two files?
:
: Definitely.  passwd.pag and passwd.dir contain all the information in the
: passwd file, just in a format that's easier to search (a DBM database
: rather than a flat text file).  "makedbm -u passwd" will regenerate the
: original passwd file from the .pag and .dir files.

Are you sure of this, I'm generalising from history, but surely the
.dir file only contains info on the side of the database, and .pag
only contains a hashed list of usernames?
The most you could get from this is a list of usernames, their offsets in
the passwd file.
I think this will let you tell which are likely to be "real" users, and
which are not, and which may have long names, but not much else.

: --
: Barry Margolin
: BBN Corporation, Cambridge, MA

: (BBN customers, call (800) 632-7638 option 1 for support)

--
Ian Stirling.                     Currently designing a new PDA, see homepage.
Homepage:                         http://www.mauve.demon.co.uk/
Two fish in a tank: one says to the other, you know how to drive this thing??