Re: UNIX password file

Old Man (oldman@cosmo.mitec.net)
Sat, 24 Aug 1996 23:54:23 -0500 (CDT)

On Sat, 24 Aug 1996, System Administration wrote:
> On Fri, 23 Aug 1996, Gary E. Miller wrote:
> > Say what? It is almost trivial to read the encrypted passwords from the
> > shadow password file. I have found several programs to do so after we
> > have caught hackers.
> > Plus, linux CAN use shadow passwords if you want. Now that I have seen
> > how much it slows down a hacker (20 milli-seconds) I do not bother
> > anymore.
> > Sorry for the digression, I know this does not belong here...
> Actually, the digression is most welcome... What we did was change the
> permissions on the master.passwd, passwd, and pwd.db (we're using bsdi
> 2.1) to 600 or 640. By making it invisible to the outside I *think* nad
> fervently hope that the password files are safe. Changing the permissions
> may be the countermeasure against hacker/decrypt programs.

Excuse me, but I was under the impression that the passwd file *has* to be
readable to the world in order for certain programs to access information
(e.g., finger, login, sendmail, etc.). Just wondering how you circumvent
the laws of Unix.

Also, I suppose password shadowing can be defeated by calls to getpwent().
Read the alt.2600/#hack FAQ for more information. Also use archie or some
other ftp searcher for "unshad.c". Compile and run, it is supposed to
display the shadowed file. It doesn't work on certain systems, don't ask
me why, I am just happy it doesn't crack ours. There are probably a
multitude of other ways, of course, which is a good reason to keep an eye
on alt.security.unix.

/*******************************************************
** Lee Kuo Mitec Internet Services **
** Systems Adminstrator 14040 Arbor St. Suite 1 **
** email: lee@mitec.net Omaha, NE 68144 **
** http://www.mitec.net/ (402)330-9295 **
********************************************************/